[Oisf-users] EXTERNAL: Re: EVE-Log identity, facility, level

Peter Manev petermanev at gmail.com
Mon Jun 9 18:26:40 UTC 2014


On Mon, Jun 9, 2014 at 8:23 PM, Gofran, Paul <paul.gofran at lmco.com> wrote:
> No.  I have:
>
>   # a line based alerts log similar to fast.log into syslog
>   - syslog:
>       enabled: no
>       # reported identity to syslog. If ommited the program name (usually
>       # suricata) will be used.
>       identity: "Suricata"
>       facility: local0
>       level: Debug ## possible levels: Emergency, Alert, Critical,
>                    ## Error, Warning, Notice, Info, Debug
>
>
> It doesn't appear to be using these settings since identity is "Suricata" (capital S) here which isn't seen in the logs.  As it shouldn't since it's not enabled anyways.


Can you enable it here as well, make the same naming changes and see
if it makes any difference?


>
> -Paul
>
> -----Original Message-----
> From: Peter Manev [mailto:petermanev at gmail.com]
> Sent: Monday, June 09, 2014 2:18 PM
> To: Gofran, Paul
> Cc: oisf-users at lists.openinfosecfoundation.org
> Subject: Re: EXTERNAL: Re: [Oisf-users] EVE-Log identity, facility, level
>
> On Mon, Jun 9, 2014 at 7:58 PM, Gofran, Paul <paul.gofran at lmco.com> wrote:
>> Yes.   No matter what I put in the YAML for identity, facility, and level - the logs always come out as "suricata", "local0", and "info" respectively.
>>
>> Is this issue specific to just me?
>
>
> Is your "syslog" section in yaml enabled?
>
>>
>> -Paul
>>
>> -----Original Message-----
>> From: Peter Manev [mailto:petermanev at gmail.com]
>> Sent: Monday, June 09, 2014 1:55 PM
>> To: Gofran, Paul
>> Cc: oisf-users at lists.openinfosecfoundation.org
>> Subject: EXTERNAL: Re: [Oisf-users] EVE-Log identity, facility, level
>>
>> On Mon, Jun 9, 2014 at 6:37 PM, Gofran, Paul <paul.gofran at lmco.com> wrote:
>>> When I use eve-log, the default parameters are always used for
>>> identity, facility, and level.
>>>
>>>
>>>
>>> ex:
>>>
>>> A configuration of the following:
>>>
>>>   # "United" event log in JSON format
>>>
>>>   - eve-log:
>>>
>>>       enabled: yes
>>>
>>>       #file|syslog|unix_dgram|unix_stream
>>>
>>>       type: syslog
>>>
>>>       # filename: eve.json
>>>
>>>       # the following are valid when type: syslog above
>>>
>>>       identity: "suriEVE" #"suricata"
>>>
>>>       facility: local1
>>>
>>>       level: Debug ## possible levels: Emergency, Alert, Critical,
>>>
>>>                    ## Error, Warning, Notice, Info, Debug
>>>
>>>       types:
>>>
>>>         - alert
>>>
>>>         - http:
>>>
>>>             extended: yes     # enable this for extended logging information
>>>
>>>         - dns
>>>
>>>         - tls:
>>>
>>>             extended: yes     # enable this for extended logging information
>>>
>>>         - files:
>>>
>>>             force-magic: no   # force logging magic on all logged files
>>>
>>>             force-md5: no     # force logging of md5 checksums
>>>
>>>         #- drop
>>>
>>>         - ssh
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> Always results in syslog messages with identity “suricata”, facility
>>> “local0” and level “Info” in my logs despite my configuration
>>> settings.  Is this a known issue (didn’t see one on redmine), or am I
>>> having a configuration mistake or something?
>>>
>>>
>>>
>>> Thanks,
>>>
>>> Paul
>>>
>>>
>>> _______________________________________________
>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> Site: http://suricata-ids.org | Support:
>>> http://suricata-ids.org/support/
>>> List:
>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>> OISF: http://www.openinfosecfoundation.org/
>>
>> Can you reproduce that consistently?
>>
>> --
>> Regards,
>> Peter Manev
>
>
>
> --
> Regards,
> Peter Manev



-- 
Regards,
Peter Manev



More information about the Oisf-users mailing list