[Oisf-users] EXTERNAL: Re: EVE-Log identity, facility, level
Gofran, Paul
paul.gofran at lmco.com
Mon Jun 9 18:23:25 UTC 2014
No. I have:
# a line based alerts log similar to fast.log into syslog
- syslog:
enabled: no
# reported identity to syslog. If ommited the program name (usually
# suricata) will be used.
identity: "Suricata"
facility: local0
level: Debug ## possible levels: Emergency, Alert, Critical,
## Error, Warning, Notice, Info, Debug
It doesn't appear to be using these settings since identity is "Suricata" (capital S) here which isn't seen in the logs. As it shouldn't since it's not enabled anyways.
-Paul
-----Original Message-----
From: Peter Manev [mailto:petermanev at gmail.com]
Sent: Monday, June 09, 2014 2:18 PM
To: Gofran, Paul
Cc: oisf-users at lists.openinfosecfoundation.org
Subject: Re: EXTERNAL: Re: [Oisf-users] EVE-Log identity, facility, level
On Mon, Jun 9, 2014 at 7:58 PM, Gofran, Paul <paul.gofran at lmco.com> wrote:
> Yes. No matter what I put in the YAML for identity, facility, and level - the logs always come out as "suricata", "local0", and "info" respectively.
>
> Is this issue specific to just me?
Is your "syslog" section in yaml enabled?
>
> -Paul
>
> -----Original Message-----
> From: Peter Manev [mailto:petermanev at gmail.com]
> Sent: Monday, June 09, 2014 1:55 PM
> To: Gofran, Paul
> Cc: oisf-users at lists.openinfosecfoundation.org
> Subject: EXTERNAL: Re: [Oisf-users] EVE-Log identity, facility, level
>
> On Mon, Jun 9, 2014 at 6:37 PM, Gofran, Paul <paul.gofran at lmco.com> wrote:
>> When I use eve-log, the default parameters are always used for
>> identity, facility, and level.
>>
>>
>>
>> ex:
>>
>> A configuration of the following:
>>
>> # "United" event log in JSON format
>>
>> - eve-log:
>>
>> enabled: yes
>>
>> #file|syslog|unix_dgram|unix_stream
>>
>> type: syslog
>>
>> # filename: eve.json
>>
>> # the following are valid when type: syslog above
>>
>> identity: "suriEVE" #"suricata"
>>
>> facility: local1
>>
>> level: Debug ## possible levels: Emergency, Alert, Critical,
>>
>> ## Error, Warning, Notice, Info, Debug
>>
>> types:
>>
>> - alert
>>
>> - http:
>>
>> extended: yes # enable this for extended logging information
>>
>> - dns
>>
>> - tls:
>>
>> extended: yes # enable this for extended logging information
>>
>> - files:
>>
>> force-magic: no # force logging magic on all logged files
>>
>> force-md5: no # force logging of md5 checksums
>>
>> #- drop
>>
>> - ssh
>>
>>
>>
>>
>>
>>
>>
>> Always results in syslog messages with identity “suricata”, facility
>> “local0” and level “Info” in my logs despite my configuration
>> settings. Is this a known issue (didn’t see one on redmine), or am I
>> having a configuration mistake or something?
>>
>>
>>
>> Thanks,
>>
>> Paul
>>
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support:
>> http://suricata-ids.org/support/
>> List:
>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> OISF: http://www.openinfosecfoundation.org/
>
> Can you reproduce that consistently?
>
> --
> Regards,
> Peter Manev
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list