[Oisf-users] EXTERNAL: Re: EVE-Log identity, facility, level

Gofran, Paul paul.gofran at lmco.com
Mon Jun 9 18:23:25 UTC 2014


No.  I have:

  # a line based alerts log similar to fast.log into syslog
  - syslog:
      enabled: no
      # reported identity to syslog. If ommited the program name (usually
      # suricata) will be used.
      identity: "Suricata"
      facility: local0
      level: Debug ## possible levels: Emergency, Alert, Critical,
                   ## Error, Warning, Notice, Info, Debug


It doesn't appear to be using these settings since identity is "Suricata" (capital S) here which isn't seen in the logs.  As it shouldn't since it's not enabled anyways.

-Paul

-----Original Message-----
From: Peter Manev [mailto:petermanev at gmail.com] 
Sent: Monday, June 09, 2014 2:18 PM
To: Gofran, Paul
Cc: oisf-users at lists.openinfosecfoundation.org
Subject: Re: EXTERNAL: Re: [Oisf-users] EVE-Log identity, facility, level

On Mon, Jun 9, 2014 at 7:58 PM, Gofran, Paul <paul.gofran at lmco.com> wrote:
> Yes.   No matter what I put in the YAML for identity, facility, and level - the logs always come out as "suricata", "local0", and "info" respectively.
>
> Is this issue specific to just me?


Is your "syslog" section in yaml enabled?

>
> -Paul
>
> -----Original Message-----
> From: Peter Manev [mailto:petermanev at gmail.com]
> Sent: Monday, June 09, 2014 1:55 PM
> To: Gofran, Paul
> Cc: oisf-users at lists.openinfosecfoundation.org
> Subject: EXTERNAL: Re: [Oisf-users] EVE-Log identity, facility, level
>
> On Mon, Jun 9, 2014 at 6:37 PM, Gofran, Paul <paul.gofran at lmco.com> wrote:
>> When I use eve-log, the default parameters are always used for 
>> identity, facility, and level.
>>
>>
>>
>> ex:
>>
>> A configuration of the following:
>>
>>   # "United" event log in JSON format
>>
>>   - eve-log:
>>
>>       enabled: yes
>>
>>       #file|syslog|unix_dgram|unix_stream
>>
>>       type: syslog
>>
>>       # filename: eve.json
>>
>>       # the following are valid when type: syslog above
>>
>>       identity: "suriEVE" #"suricata"
>>
>>       facility: local1
>>
>>       level: Debug ## possible levels: Emergency, Alert, Critical,
>>
>>                    ## Error, Warning, Notice, Info, Debug
>>
>>       types:
>>
>>         - alert
>>
>>         - http:
>>
>>             extended: yes     # enable this for extended logging information
>>
>>         - dns
>>
>>         - tls:
>>
>>             extended: yes     # enable this for extended logging information
>>
>>         - files:
>>
>>             force-magic: no   # force logging magic on all logged files
>>
>>             force-md5: no     # force logging of md5 checksums
>>
>>         #- drop
>>
>>         - ssh
>>
>>
>>
>>
>>
>>
>>
>> Always results in syslog messages with identity “suricata”, facility 
>> “local0” and level “Info” in my logs despite my configuration 
>> settings.  Is this a known issue (didn’t see one on redmine), or am I 
>> having a configuration mistake or something?
>>
>>
>>
>> Thanks,
>>
>> Paul
>>
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support:
>> http://suricata-ids.org/support/
>> List:
>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> OISF: http://www.openinfosecfoundation.org/
>
> Can you reproduce that consistently?
>
> --
> Regards,
> Peter Manev



--
Regards,
Peter Manev


More information about the Oisf-users mailing list