[Oisf-users] EVE-Log identity, facility, level

Mon Jun 9 17:54:39 UTC 2014

On Mon, Jun 9, 2014 at 6:37 PM, Gofran, Paul <paul.gofran at lmco.com> wrote:
> When I use eve-log, the default parameters are always used for identity,
> facility, and level.
>
>
>
> ex:
>
> A configuration of the following:
>
>   # "United" event log in JSON format
>
>   - eve-log:
>
>       enabled: yes
>
>       #file|syslog|unix_dgram|unix_stream
>
>       type: syslog
>
>       # filename: eve.json
>
>       # the following are valid when type: syslog above
>
>       identity: "suriEVE" #"suricata"
>
>       facility: local1
>
>       level: Debug ## possible levels: Emergency, Alert, Critical,
>
>                    ## Error, Warning, Notice, Info, Debug
>
>       types:
>
>         - alert
>
>         - http:
>
>             extended: yes     # enable this for extended logging information
>
>         - dns
>
>         - tls:
>
>             extended: yes     # enable this for extended logging information
>
>         - files:
>
>             force-magic: no   # force logging magic on all logged files
>
>             force-md5: no     # force logging of md5 checksums
>
>         #- drop
>
>         - ssh
>
>
>
>
>
>
>
> Always results in syslog messages with identity “suricata”, facility
> “local0” and level “Info” in my logs despite my configuration settings.  Is
> this a known issue (didn’t see one on redmine), or am I having a
> configuration mistake or something?
>
>
>
> Thanks,
>
> Paul
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/

Can you reproduce that consistently?

-- 
Regards,
Peter Manev