<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /></head><body style='font-size: 10pt; font-family: Verdana,Geneva,sans-serif'>
<p>Thanks.  I followed your suggestions and re-enabled the eve-json.  </p>
<p>A co-worker had switched it to the other method and I was trying to duplicate that person's effort.</p>
<p>Working now per below.</p>
<p><br /></p>
<p>Craig</p>
<p><br /></p>
<p>On 2019-06-30 16:48, Michał Purzyński wrote:</p>
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0"><!-- html ignored --><!-- head ignored --><!-- meta ignored -->
<div dir="ltr">
<div>Can you share you suricata.yml? Ideally Suricata should not write events to syslog, eve-json is best used for that. Take a look here to disable the syslog output</div>
<div> </div>
<div><a href="https://suricata.readthedocs.io/en/suricata-4.1.4/output/syslog-alerting-comp.html" target="_blank" rel="noopener noreferrer">https://suricata.readthedocs.io/en/suricata-4.1.4/output/syslog-alerting-comp.html</a></div>
<div> </div>
<div>And here to enable the eve-json</div>
<div> </div>
<div><a href="https://suricata.readthedocs.io/en/suricata-4.1.4/output/eve/index.html" target="_blank" rel="noopener noreferrer">https://suricata.readthedocs.io/en/suricata-4.1.4/output/eve/index.html</a></div>
<div> </div>
<div>We use syslog-ng to pick up messages from the JSON file and ship them to SIEM.</div>
<div> </div>
</div>
<br />
<div class="gmail_quote">
<div class="gmail_attr" dir="ltr">On Wed, Jun 19, 2019 at 6:02 AM <<a href="mailto:craig@reswob10.net">craig@reswob10.net</a>> wrote:</div>
<blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left: 1px solid #cccccc; padding-left: 1ex;">
<div style="font-size: 10pt; font-family: Verdana,Geneva,sans-serif;">
<p><br /></p>
<p>Hi, new to suricata.  I have a new install on CentOS 7 running rsyslog 8.24.0-34.el7 and I have suricata 4.1.4</p>
<p><br /></p>
<p>My problem is it appears rsyslog is blocking writing of events to /var/log/messages because I see no suricata logs, but many of these entries:</p>
<p>journal: Suppressed 13475 messages from /system.slice/suricata.service </p>
<p>(the number of suppressed messages changes, but the main message stays the same)</p>
<p><br /></p>
<p>Is there a particular area of my config I should look at to tweak to fix this? Does this mean I should migrate to a server with more CPU and/or RAM?</p>
<p>Thanks</p>
<p>Craig</p>
<p><br /></p>
<p>My other question is this: is there a way to search the archives?  I went to <a href="https://lists.openinfosecfoundation.org/pipermail/oisf-users/" target="_blank" rel="noopener noreferrer">https://lists.openinfosecfoundation.org/pipermail/oisf-users/</a> but I didn't see a search capability....</p>
</div>
_______________________________________________<br /> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br /> Site: <a href="http://suricata-ids.org" target="_blank" rel="noopener noreferrer">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank" rel="noopener noreferrer">http://suricata-ids.org/support/</a><br /> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank" rel="noopener noreferrer">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br /><br /> Conference: <a href="https://suricon.net" target="_blank" rel="noopener noreferrer">https://suricon.net</a><br /> Trainings: <a href="https://suricata-ids.org/training/" target="_blank" rel="noopener noreferrer">https://suricata-ids.org/training/</a></blockquote>
</div>
</blockquote>
</body></html>