[Oisf-users] EXTERNAL: Re: EVE-Log identity, facility, level
Gofran, Paul
paul.gofran at lmco.com
Mon Jun 9 17:58:19 UTC 2014
Yes. No matter what I put in the YAML for identity, facility, and level - the logs always come out as "suricata", "local0", and "info" respectively.
Is this issue specific to just me?
-Paul
-----Original Message-----
From: Peter Manev [mailto:petermanev at gmail.com]
Sent: Monday, June 09, 2014 1:55 PM
To: Gofran, Paul
Cc: oisf-users at lists.openinfosecfoundation.org
Subject: EXTERNAL: Re: [Oisf-users] EVE-Log identity, facility, level
On Mon, Jun 9, 2014 at 6:37 PM, Gofran, Paul <paul.gofran at lmco.com> wrote:
> When I use eve-log, the default parameters are always used for
> identity, facility, and level.
>
>
>
> ex:
>
> A configuration of the following:
>
> # "United" event log in JSON format
>
> - eve-log:
>
> enabled: yes
>
> #file|syslog|unix_dgram|unix_stream
>
> type: syslog
>
> # filename: eve.json
>
> # the following are valid when type: syslog above
>
> identity: "suriEVE" #"suricata"
>
> facility: local1
>
> level: Debug ## possible levels: Emergency, Alert, Critical,
>
> ## Error, Warning, Notice, Info, Debug
>
> types:
>
> - alert
>
> - http:
>
> extended: yes # enable this for extended logging information
>
> - dns
>
> - tls:
>
> extended: yes # enable this for extended logging information
>
> - files:
>
> force-magic: no # force logging magic on all logged files
>
> force-md5: no # force logging of md5 checksums
>
> #- drop
>
> - ssh
>
>
>
>
>
>
>
> Always results in syslog messages with identity “suricata”, facility
> “local0” and level “Info” in my logs despite my configuration
> settings. Is this a known issue (didn’t see one on redmine), or am I
> having a configuration mistake or something?
>
>
>
> Thanks,
>
> Paul
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
Can you reproduce that consistently?
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list