[Oisf-devel] Problem with eve logging using syslog

Duarte Silva duarte.silva at serializing.me
Wed Jul 16 14:53:09 UTC 2014 

Hi guys,

I have the following Syslog configuration on my Suricata sensor (forward logs 
to a server):

> # cat /etc/rsyslog.d/suricata.conf
> local5.* @logserver:514

And the following Suricata Eve configuration:

>  - eve-log:
>      enabled: yes
>      type: syslog #file|syslog|unix_dgram|unix_stream
>      filename: eve.json
>      # the following are valid when type: syslog above
>      #identity: "suricata"
>      facility: local5
>      #level: Info ## possible levels: Emergency, Alert, Critical,
>                   ## Error, Warning, Notice, Info, Debug

When an event happens, I get on the Suricata sensor /var/log/messages file the 
respective log event:

> Jul 16 14:24:44 pidsint suricata: {"timestamp":"2014-07-16T14:24:44.416708",
> "event_type":"alert","src_ip":"client","src_port":51958,"dest_ip":"server",
> "dest_port":80,"proto":"TCP","alert":{"action":"allowed","gid":1,
> "signature_id":2006380,"rev":12,"signature":"ET POLICY Outgoing Basic 
> Auth Base64 HTTP Password detected unencrypted","category":"Potential 
> Corporate Privacy Violation","severity":1}}

The problem is, even though the event is written into /var/log/messages, it 
doesn't get forwarded unless I enable Suricata syslog logging. I have the 
following syslog configuration:

>  - syslog:
>      enabled: yes
>      # reported identity to syslog. If ommited the program name (usually
>      # suricata) will be used.
>      #identity: "suricata"
>      facility: local5
>      #level: Info ## possible levels: Emergency, Alert, Critical,
>                   ## Error, Warning, Notice, Info, Debug

But if I enable syslog logging, both log events get forwarded to the log 
server. In the Suricata sensor /var/log/messages file:

> Jul 16 14:25:32 pidsint suricata[29738]: 
{"timestamp":"2014-07-16T14:25:32.783633","event_type":"alert","src_ip":"client","src_port":52119,"dest_ip":"server","dest_port":80,"proto":"TCP","alert":
{"action":"allowed","gid":1,"signature_id":2006380,"rev":12,"signature":"ET 
POLICY Outgoing Basic Auth Base64 HTTP Password detected 
unencrypted","category":"Potential Corporate Privacy Violation","severity":1}}
> Jul 16 14:25:32 pidsint suricata[29738]: [1:2006380:12] ET POLICY Outgoing 
Basic Auth Base64 HTTP Password detected unencrypted [Classification: Potential 
Corporate Privacy Violation] [Priority: 1] {TCP} client:52119 -> server:80

In the log server:

> {"timestamp":"2014-07-16T14:25:32.783633","event_type":"alert","src_ip"
> :"client","src_port":52119,"dest_ip":"server","dest_port":80,"proto":"TCP",
> "alert":{"action":"allowed","gid":1,"signature_id":2006380,"rev":12,
> "signature":"ET POLICY Outgoing Basic Auth Base64 HTTP Password 
> detected unencrypted","category":"Potential Corporate Privacy
> Violation","severity":1}}
> [1:2006380:12] ET POLICY Outgoing Basic Auth Base64 HTTP Password 
> detected unencrypted [Classification: Potential Corporate Privacy 
> Violation] [Priority: 1] {TCP} client:52119 -> server:80

This leads me to thing there is a bug that is preventing eve logging (using 
syslog) dependent upon syslog logging. Do you guys have any idea why this is 
happening?

Cheers,
Duarte

More information about the Oisf-devel mailing list