<div dir="ltr"><div>Can you share you suricata.yml? Ideally Suricata should not write events to syslog, eve-json is best used for that. Take a look here to disable the syslog output</div><div><br></div><div><a href="https://suricata.readthedocs.io/en/suricata-4.1.4/output/syslog-alerting-comp.html">https://suricata.readthedocs.io/en/suricata-4.1.4/output/syslog-alerting-comp.html</a></div><div><br></div><div>And here to enable the eve-json</div><div><br></div><div><a href="https://suricata.readthedocs.io/en/suricata-4.1.4/output/eve/index.html">https://suricata.readthedocs.io/en/suricata-4.1.4/output/eve/index.html</a></div><div><br></div><div>We use syslog-ng to pick up messages from the JSON file and ship them to SIEM.<br></div><div><br></div><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Jun 19, 2019 at 6:02 AM <<a href="mailto:craig@reswob10.net">craig@reswob10.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div style="font-size:10pt;font-family:Verdana,Geneva,sans-serif">
<p><br></p>
<p>Hi, new to suricata. I have a new install on CentOS 7 running rsyslog 8.24.0-34.el7 and I have suricata 4.1.4</p>
<p><br></p>
<p>My problem is it appears rsyslog is blocking writing of events to /var/log/messages because I see no suricata logs, but many of these entries:</p>
<p>journal: Suppressed 13475 messages from /system.slice/suricata.service </p>
<p>(the number of suppressed messages changes, but the main message stays the same)</p>
<p><br></p>
<p>Is there a particular area of my config I should look at to tweak to fix this? Does this mean I should migrate to a server with more CPU and/or RAM? </p>
<p>Thanks</p>
<p>Craig</p>
<p><br></p>
<p>My other question is this: is there a way to search the archives? I went to <a href="https://lists.openinfosecfoundation.org/pipermail/oisf-users/" target="_blank">https://lists.openinfosecfoundation.org/pipermail/oisf-users/</a> but I didn't see a search capability....</p>
</div>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/training/</a></blockquote></div>