[Oisf-devel] EXTERNAL: Problem with eve logging using syslog
Gofran, Paul
paul.gofran at lmco.com
Wed Jul 16 15:02:20 UTC 2014
Duarte,
See issue #1204, I believe it covers what you're looking for:
https://redmine.openinfosecfoundation.org/issues/1204
-Paul
-----Original Message-----
From: oisf-devel-bounces at lists.openinfosecfoundation.org [mailto:oisf-devel-bounces at lists.openinfosecfoundation.org] On Behalf Of Duarte Silva
Sent: Wednesday, July 16, 2014 10:53 AM
To: oisf-devel at lists.openinfosecfoundation.org
Subject: EXTERNAL: [Oisf-devel] Problem with eve logging using syslog
Hi guys,
I have the following Syslog configuration on my Suricata sensor (forward logs to a server):
> # cat /etc/rsyslog.d/suricata.conf
> local5.* @logserver:514
And the following Suricata Eve configuration:
> - eve-log:
> enabled: yes
> type: syslog #file|syslog|unix_dgram|unix_stream
> filename: eve.json
> # the following are valid when type: syslog above
> #identity: "suricata"
> facility: local5
> #level: Info ## possible levels: Emergency, Alert, Critical,
> ## Error, Warning, Notice, Info, Debug
When an event happens, I get on the Suricata sensor /var/log/messages file the respective log event:
> Jul 16 14:24:44 pidsint suricata:
> {"timestamp":"2014-07-16T14:24:44.416708",
> "event_type":"alert","src_ip":"client","src_port":51958,"dest_ip":"ser
> ver",
> "dest_port":80,"proto":"TCP","alert":{"action":"allowed","gid":1,
> "signature_id":2006380,"rev":12,"signature":"ET POLICY Outgoing Basic
> Auth Base64 HTTP Password detected unencrypted","category":"Potential
> Corporate Privacy Violation","severity":1}}
The problem is, even though the event is written into /var/log/messages, it doesn't get forwarded unless I enable Suricata syslog logging. I have the following syslog configuration:
> - syslog:
> enabled: yes
> # reported identity to syslog. If ommited the program name (usually
> # suricata) will be used.
> #identity: "suricata"
> facility: local5
> #level: Info ## possible levels: Emergency, Alert, Critical,
> ## Error, Warning, Notice, Info, Debug
But if I enable syslog logging, both log events get forwarded to the log server. In the Suricata sensor /var/log/messages file:
> Jul 16 14:25:32 pidsint suricata[29738]:
{"timestamp":"2014-07-16T14:25:32.783633","event_type":"alert","src_ip":"client","src_port":52119,"dest_ip":"server","dest_port":80,"proto":"TCP","alert":
{"action":"allowed","gid":1,"signature_id":2006380,"rev":12,"signature":"ET
POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted","category":"Potential Corporate Privacy Violation","severity":1}}
> Jul 16 14:25:32 pidsint suricata[29738]: [1:2006380:12] ET POLICY
> Outgoing
Basic Auth Base64 HTTP Password detected unencrypted [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} client:52119 -> server:80
In the log server:
> {"timestamp":"2014-07-16T14:25:32.783633","event_type":"alert","src_ip"
> :"client","src_port":52119,"dest_ip":"server","dest_port":80,"proto":"
> TCP",
> "alert":{"action":"allowed","gid":1,"signature_id":2006380,"rev":12,
> "signature":"ET POLICY Outgoing Basic Auth Base64 HTTP Password
> detected unencrypted","category":"Potential Corporate Privacy
> Violation","severity":1}} [1:2006380:12] ET POLICY Outgoing Basic Auth
> Base64 HTTP Password detected unencrypted [Classification: Potential
> Corporate Privacy Violation] [Priority: 1] {TCP} client:52119 ->
> server:80
This leads me to thing there is a bug that is preventing eve logging (using
syslog) dependent upon syslog logging. Do you guys have any idea why this is happening?
Cheers,
Duarte
_______________________________________________
Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
Site: http://suricata-ids.org | Participate: http://suricata-ids.org/participate/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
Redmine: https://redmine.openinfosecfoundation.org/
More information about the Oisf-devel
mailing list