[Oisf-users] EXTERNAL: Re: EVE-Log identity, facility, level

Gofran, Paul paul.gofran at lmco.com
Mon Jun 9 17:58:19 UTC 2014


Yes.   No matter what I put in the YAML for identity, facility, and level - the logs always come out as "suricata", "local0", and "info" respectively.

Is this issue specific to just me?

-Paul

-----Original Message-----
From: Peter Manev [mailto:petermanev at gmail.com] 
Sent: Monday, June 09, 2014 1:55 PM
To: Gofran, Paul
Cc: oisf-users at lists.openinfosecfoundation.org
Subject: EXTERNAL: Re: [Oisf-users] EVE-Log identity, facility, level

On Mon, Jun 9, 2014 at 6:37 PM, Gofran, Paul <paul.gofran at lmco.com> wrote:
> When I use eve-log, the default parameters are always used for 
> identity, facility, and level.
>
>
>
> ex:
>
> A configuration of the following:
>
>   # "United" event log in JSON format
>
>   - eve-log:
>
>       enabled: yes
>
>       #file|syslog|unix_dgram|unix_stream
>
>       type: syslog
>
>       # filename: eve.json
>
>       # the following are valid when type: syslog above
>
>       identity: "suriEVE" #"suricata"
>
>       facility: local1
>
>       level: Debug ## possible levels: Emergency, Alert, Critical,
>
>                    ## Error, Warning, Notice, Info, Debug
>
>       types:
>
>         - alert
>
>         - http:
>
>             extended: yes     # enable this for extended logging information
>
>         - dns
>
>         - tls:
>
>             extended: yes     # enable this for extended logging information
>
>         - files:
>
>             force-magic: no   # force logging magic on all logged files
>
>             force-md5: no     # force logging of md5 checksums
>
>         #- drop
>
>         - ssh
>
>
>
>
>
>
>
> Always results in syslog messages with identity “suricata”, facility 
> “local0” and level “Info” in my logs despite my configuration 
> settings.  Is this a known issue (didn’t see one on redmine), or am I 
> having a configuration mistake or something?
>
>
>
> Thanks,
>
> Paul
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: 
> http://suricata-ids.org/support/
> List: 
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/

Can you reproduce that consistently?

--
Regards,
Peter Manev


More information about the Oisf-users mailing list