<div dir="ltr">Thanks Greg! Makes sense. <div><br></div><div>Using the following in rsyslog.conf:</div><div><br></div><div><div>input (</div><div>        type="imfile"</div><div>        File="/var/log/suricata/fast.log"</div><div>        Tag="Suricata"</div><div>        Severity="info"</div><div>        Facility="local5")</div></div><div><br></div><div>and relaying all facility to the SIEM, with:</div><div><br></div><div>*.* @server:514<br></div><div><br></div><div>Should be all I need then. Still, can't seem to get messages from fast.log. </div><div><br></div><div>Any tips/pointers appreciated. </div><div><br></div><div>Thank you.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Apr 11, 2018 at 1:22 AM, Greg Grasmehr <span dir="ltr"><<a href="mailto:greg.grasmehr@caltech.edu" target="_blank">greg.grasmehr@caltech.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">AFAIK you either have to configure local rsyslog to monitor the fast.log<br>
output with imfile and forward it, or do as we do and output to unified2<br>
file and use Barnyard2 to forward to local5 and config your local<br>
rsyslog.conf to forward to your remote server<br>
<br>
Greg<br>
<div><div class="h5"><br>
On 04/10/18 23:29:53, Tiago Faria wrote:<br>
> Hi list,<br>
><br>
> In a environment where my syslog data is being forwarded to a collector (SIEM,<br>
> for example), previously, I was able to get the output that can be found in<br>
> fast.log from syslog itself (and those messages would end up in the SIEM).<br>
><br>
> On my latest test, though, I can’t.<br>
><br>
> Other than specifying the syslog output, is there anything that needs to be<br>
> done so that Suricata also writes to syslog (in this particular case, rsyslog)?<br>
><br>
> Thank you.<br>
<br>
</div></div>> ______________________________<wbr>_________________<br>
> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@<wbr>openinfosecfoundation.org</a><br>
> Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/<wbr>support/</a><br>
> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.<wbr>openinfosecfoundation.org/<wbr>mailman/listinfo/oisf-users</a><br>
><br>
> Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
> Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/<wbr>training/</a><br>
<br>
</blockquote></div><br></div>