
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /></head><body style='font-size: 10pt; font-family: Verdana,Geneva,sans-serif'>

<p>Thanks.  I followed your suggestions and re-enabled the eve-json.  </p>

<p>A co-worker had switched it to the other method and I was trying to duplicate that person's effort.</p>

<p>Working now per below.</p>

<p><br /></p>

<p>Craig</p>

<p><br /></p>

<p>On 2019-06-30 16:48, Michał Purzyński wrote:</p>

<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0"><!-- html ignored --><!-- head ignored --><!-- meta ignored -->

<div dir="ltr">

<div>Can you share you suricata.yml? Ideally Suricata should not write events to syslog, eve-json is best used for that. Take a look here to disable the syslog output</div>

<div> </div>

<div><a href="https://suricata.readthedocs.io/en/suricata-4.1.4/output/syslog-alerting-comp.html" target="_blank" rel="noopener noreferrer">https://suricata.readthedocs.io/en/suricata-4.1.4/output/syslog-alerting-comp.html</a></div>

<div> </div>

<div>And here to enable the eve-json</div>

<div> </div>

<div><a href="https://suricata.readthedocs.io/en/suricata-4.1.4/output/eve/index.html" target="_blank" rel="noopener noreferrer">https://suricata.readthedocs.io/en/suricata-4.1.4/output/eve/index.html</a></div>

<div> </div>

<div>We use syslog-ng to pick up messages from the JSON file and ship them to SIEM.</div>

<div> </div>

</div>

<br />

<div class="gmail_quote">

<div class="gmail_attr" dir="ltr">On Wed, Jun 19, 2019 at 6:02 AM <<a href="mailto:craig@reswob10.net">craig@reswob10.net</a>> wrote:</div>

<blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left: 1px solid #cccccc; padding-left: 1ex;">

<div style="font-size: 10pt; font-family: Verdana,Geneva,sans-serif;">

<p><br /></p>

<p>Hi, new to suricata.  I have a new install on CentOS 7 running rsyslog 8.24.0-34.el7 and I have suricata 4.1.4</p>

<p><br /></p>

<p>My problem is it appears rsyslog is blocking writing of events to /var/log/messages because I see no suricata logs, but many of these entries:</p>

<p>journal: Suppressed 13475 messages from /system.slice/suricata.service </p>

<p>(the number of suppressed messages changes, but the main message stays the same)</p>

<p><br /></p>

<p>Is there a particular area of my config I should look at to tweak to fix this? Does this mean I should migrate to a server with more CPU and/or RAM?</p>

<p>Thanks</p>

<p>Craig</p>

<p><br /></p>

<p>My other question is this: is there a way to search the archives?  I went to <a href="https://lists.openinfosecfoundation.org/pipermail/oisf-users/" target="_blank" rel="noopener noreferrer">https://lists.openinfosecfoundation.org/pipermail/oisf-users/</a> but I didn't see a search capability....</p>

</div>

_______________________________________________<br /> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br /> Site: <a href="http://suricata-ids.org" target="_blank" rel="noopener noreferrer">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank" rel="noopener noreferrer">http://suricata-ids.org/support/</a><br /> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank" rel="noopener noreferrer">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br /><br /> Conference: <a href="https://suricon.net" target="_blank" rel="noopener noreferrer">https://suricon.net</a><br /> Trainings: <a href="https://suricata-ids.org/training/" target="_blank" rel="noopener noreferrer">https://suricata-ids.org/training/</a></blockquote>

</div>

</blockquote>

</body></html>