<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px"><div id="yui_3_16_0_1_1435774903807_2887">Hello,</div><div id="yui_3_16_0_1_1435774903807_2988"><br></div><div id="yui_3_16_0_1_1435774903807_2989" dir="ltr">at one point after following your config, it appeared as if 'generic sim messages' were arriving at the SIEM.</div><div id="yui_3_16_0_1_1435774903807_2990" dir="ltr">Of course I made more changes and I'm not back there again.</div><div id="yui_3_16_0_1_1435774903807_3031" dir="ltr">I'll continue to keep working in time allotments until I get it working.</div><div id="yui_3_16_0_1_1435774903807_3037" dir="ltr"><br></div><div id="yui_3_16_0_1_1435774903807_3038" dir="ltr">I'm still not convinced fully that messages are arriving at the Juniper JSA SIEM, however I'll keep trying things.</div><div id="yui_3_16_0_1_1435774903807_3039" dir="ltr">I think what you provided me is closer to getting it working.</div><div id="yui_3_16_0_1_1435774903807_3041" dir="ltr"><br></div><div id="yui_3_16_0_1_1435774903807_3094" dir="ltr">By the way, what options and explanations are there for ;mark.info---> local5.*;<a class="" id="yui_3_16_0_1_1435774903807_3000" rel="nofollow" shape="rect" target="_blank" href="http://mark.info/">mark.info</a> <br></div><div id="yui_3_16_0_1_1435774903807_3096" dir="ltr"><br></div><div dir="ltr"><br></div><div id="yui_3_16_0_1_1435774903807_3097" dir="ltr">thanks,</div><div id="yui_3_16_0_1_1435774903807_3098" dir="ltr">Charles<br></div><div id="yui_3_16_0_1_1435774903807_2850"><span></span></div><br> <div id="yui_3_16_0_1_1435774903807_2886" style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div id="yui_3_16_0_1_1435774903807_2885" style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div id="yui_3_16_0_1_1435774903807_2884" dir="ltr"> <hr size="1"> <font face="Arial" size="2"> <b><span style="font-weight:bold;">From:</span></b> Brandon Lattin <latt0050@umn.edu><br> <b><span style="font-weight: bold;">To:</span></b> Oliver Humpage <oliver@watershed.co.uk> <br><b><span style="font-weight: bold;">Cc:</span></b> chuckpc@yahoo.com; "oisf-users@openinfosecfoundation.org" <oisf-users@openinfosecfoundation.org> <br> <b><span style="font-weight: bold;">Sent:</span></b> Tuesday, June 30, 2015 10:42 AM<br> <b><span style="font-weight: bold;">Subject:</span></b> Re: [Oisf-users] Suricata 2.0.8 -->Cannot get logs to SIEM<br> </font> </div> <div id="yui_3_16_0_1_1435774903807_2993" class="y_msg_container"><br><div id="yiv8386188696"><div id="yui_3_16_0_1_1435774903807_2992"><div id="yui_3_16_0_1_1435774903807_2991" dir="ltr">Ack. <div id="yui_3_16_0_1_1435774903807_3011"><br clear="none"></div><div id="yui_3_16_0_1_1435774903807_2996">nc is great for backdoors, but not exactly my first choice for production configurations.<div><br clear="none"></div><div id="yui_3_16_0_1_1435774903807_2995">Just export it with a specific facility.<div><br clear="none"></div><div id="yui_3_16_0_1_1435774903807_2994">rsyslog.conf snippet:</div><div id="yui_3_16_0_1_1435774903807_2997">local5.*;<a id="yui_3_16_0_1_1435774903807_3000" rel="nofollow" shape="rect" target="_blank" href="http://mark.info/">mark.info</a> @<a id="yui_3_16_0_1_1435774903807_2998" rel="nofollow" shape="rect" target="_blank" href="http://foo.bar.com/">foo.bar.com</a><br clear="none"></div><div><br clear="none"></div><div><br clear="none"></div><div>suricata.yaml snippet (note the double syslog config; necessary as eve-log to syslog doesn't do anything without "- syslog:" also configured; someday this will get fixed?) :</div><div><br clear="none"></div><div><div> - syslog:</div><div> enabled: yes</div><div> # reported identity to syslog. If omitted the program name (usually</div><div> # suricata) will be used.</div><div> identity: "suricata"</div><div> facility: local5</div><div> level: Info ## possible levels: Emergency, Alert, Critical,</div><div> ## Error, Warning, Notice, Info, Debug</div><div><br clear="none"></div><div> # Extensible Event Format (nicknamed EVE) event log in JSON format</div><div> - eve-log:</div><div> append: yes</div><div> enabled: yes</div><div> type: syslog #file|syslog|unix_dgram|unix_stream</div><div> #filename: eve-port0.json</div><div> # the following are valid when type: syslog above</div><div> identity: "suricata"</div><div> facility: local5</div><div> level: Info ## possible levels: Emergency, Alert, Critical,</div><div> ## Error, Warning, Notice, Info, Debug</div><div> types:</div><div> - alert:</div><div> payload: no # enable dumping payload in Base64</div><div> payload-printable: yes # enable dumping payload in printable (lossy) format</div><div> packet: no # enable dumping of packet (without stream segments)</div><div> http: no # enable dumping of http fields</div></div></div></div><div><br clear="none"></div><div><br clear="none"></div><div><br clear="none"></div><div>Or you could just use Splunk with a Splunk Universal Forwarder and just eat the eve.json directly off the sensor ;-P</div></div><div class="yiv8386188696gmail_extra"><br clear="none"><div class="qtdSeparateBR"><br><br></div><div class="yiv8386188696yqt9670841817" id="yiv8386188696yqtfd09836"><div class="yiv8386188696gmail_quote">On Tue, Jun 30, 2015 at 9:29 AM, Oliver Humpage <span dir="ltr"><<a rel="nofollow" shape="rect" ymailto="mailto:oliver@watershed.co.uk" target="_blank" href="mailto:oliver@watershed.co.uk">oliver@watershed.co.uk</a>></span> wrote:<br clear="none"><blockquote class="yiv8386188696gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><br clear="none">
On 30 Jun 2015, at 15:05, <a rel="nofollow" shape="rect" ymailto="mailto:chuckpc@yahoo.com" target="_blank" href="mailto:chuckpc@yahoo.com">chuckpc@yahoo.com</a> wrote:<br clear="none">
<br clear="none">
> *.* @<a rel="nofollow" shape="rect" target="_blank" onclick="return theMainWindow.showLinkWarning(this)" href="http://172.18.1.155:514/">172.18.1.155:514</a><br clear="none">
<br clear="none">
If that's sending absolutely everything that gets syslogged to the SIEM, perhaps the SIEM is getting confused?<br clear="none">
<br clear="none">
Have you tried getting rsyslog to send the suricata output to a file, and then sending individual lines over to the SIEM using nc(1)? That'd make sure it really was logging the lines you'd expect, and then you can use eg<br clear="none">
<br clear="none">
echo '<14>sourcehost LogLine' | nc -u 172.19.1.155 514<br clear="none">
<br clear="none">
to see if you can get the SIEM to accept valid lines. Also compare said lines with the output of snort and see if there's a difference.<br clear="none">
<br clear="none">
If that works, try limiting what's being sent in rsyslog. If it doesn't work, I'd suspect a config issue in the receiving host.<br clear="none">
<br clear="none">
You may have already tried all this of course. I'm afraid I use logstash (and logstash-forwarder) to centralise log collection, so my knowledge of Junipers and rsyslog is limited.<br clear="none">
<br clear="none">
Oliver.<br clear="none">
<br clear="none">
_______________________________________________<br clear="none">
Suricata IDS Users mailing list: <a rel="nofollow" shape="rect" ymailto="mailto:oisf-users@openinfosecfoundation.org" target="_blank" href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br clear="none">
Site: <a rel="nofollow" shape="rect" target="_blank" href="http://suricata-ids.org/">http://suricata-ids.org</a> | Support: <a rel="nofollow" shape="rect" target="_blank" href="http://suricata-ids.org/support/">http://suricata-ids.org/support/</a><br clear="none">
List: <a rel="nofollow" shape="rect" target="_blank" href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br clear="none">
Suricata User Conference November 4 & 5 in Barcelona: <a rel="nofollow" shape="rect" target="_blank" href="http://oisfevents.net/">http://oisfevents.net</a><br clear="none">
</blockquote></div></div><br clear="none"><br clear="all"><div><br clear="none"></div>-- <br clear="none"><div class="yiv8386188696gmail_signature"><div dir="ltr">Brandon Lattin<div>Security Analyst<br clear="none"><div>University of Minnesota - University Information Security<br clear="none">Office: 612-626-6672</div></div></div></div><div class="yiv8386188696yqt9670841817" id="yiv8386188696yqtfd88779">
</div></div></div></div><br><br></div> </div> </div> </div></body></html>