[Oisf-users] EXTERNAL: Re: EVE-Log identity, facility, level

Peter Manev petermanev at gmail.com
Mon Jun 9 18:18:29 UTC 2014


On Mon, Jun 9, 2014 at 7:58 PM, Gofran, Paul <paul.gofran at lmco.com> wrote:
> Yes.   No matter what I put in the YAML for identity, facility, and level - the logs always come out as "suricata", "local0", and "info" respectively.
>
> Is this issue specific to just me?


Is your "syslog" section in yaml enabled?

>
> -Paul
>
> -----Original Message-----
> From: Peter Manev [mailto:petermanev at gmail.com]
> Sent: Monday, June 09, 2014 1:55 PM
> To: Gofran, Paul
> Cc: oisf-users at lists.openinfosecfoundation.org
> Subject: EXTERNAL: Re: [Oisf-users] EVE-Log identity, facility, level
>
> On Mon, Jun 9, 2014 at 6:37 PM, Gofran, Paul <paul.gofran at lmco.com> wrote:
>> When I use eve-log, the default parameters are always used for
>> identity, facility, and level.
>>
>>
>>
>> ex:
>>
>> A configuration of the following:
>>
>>   # "United" event log in JSON format
>>
>>   - eve-log:
>>
>>       enabled: yes
>>
>>       #file|syslog|unix_dgram|unix_stream
>>
>>       type: syslog
>>
>>       # filename: eve.json
>>
>>       # the following are valid when type: syslog above
>>
>>       identity: "suriEVE" #"suricata"
>>
>>       facility: local1
>>
>>       level: Debug ## possible levels: Emergency, Alert, Critical,
>>
>>                    ## Error, Warning, Notice, Info, Debug
>>
>>       types:
>>
>>         - alert
>>
>>         - http:
>>
>>             extended: yes     # enable this for extended logging information
>>
>>         - dns
>>
>>         - tls:
>>
>>             extended: yes     # enable this for extended logging information
>>
>>         - files:
>>
>>             force-magic: no   # force logging magic on all logged files
>>
>>             force-md5: no     # force logging of md5 checksums
>>
>>         #- drop
>>
>>         - ssh
>>
>>
>>
>>
>>
>>
>>
>> Always results in syslog messages with identity “suricata”, facility
>> “local0” and level “Info” in my logs despite my configuration
>> settings.  Is this a known issue (didn’t see one on redmine), or am I
>> having a configuration mistake or something?
>>
>>
>>
>> Thanks,
>>
>> Paul
>>
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support:
>> http://suricata-ids.org/support/
>> List:
>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> OISF: http://www.openinfosecfoundation.org/
>
> Can you reproduce that consistently?
>
> --
> Regards,
> Peter Manev



-- 
Regards,
Peter Manev



More information about the Oisf-users mailing list