[Oisf-users] EXTERNAL: Re: EVE-Log identity, facility, level

Gofran, Paul paul.gofran at lmco.com
Mon Jun 9 19:58:51 UTC 2014 

Peter, I enabled the syslog section and did see the identity and facility change for my log messages.  The level still came out as "info" always though.  I tried the following options for level:  Debug, debug, "Debug", and "debug".   All came out as info.

So correct me if I'm wrong but are there 3 related issues here?
1) The eve-log parameters identity, facility, and level don't effect anything.  It didn't matter if I made these the same as the syslog section or different, they didn't take effect.
2) The syslog section is not just for alerts and the identity, facility, and level parameters effect eve-log when it's in syslog mode.
3) The level parameter is not working 

I'll be happy to try out any other test configurations if you have any other ideas.  If these are actual issues let me know if you want me to submit a bug.  Thanks for the help.

-Paul



-----Original Message-----
From: Peter Manev [mailto:petermanev at gmail.com] 
Sent: Monday, June 09, 2014 2:27 PM
To: Gofran, Paul
Cc: oisf-users at lists.openinfosecfoundation.org
Subject: Re: EXTERNAL: Re: [Oisf-users] EVE-Log identity, facility, level

On Mon, Jun 9, 2014 at 8:23 PM, Gofran, Paul <paul.gofran at lmco.com> wrote:
> No.  I have:
>
>   # a line based alerts log similar to fast.log into syslog
>   - syslog:
>       enabled: no
>       # reported identity to syslog. If ommited the program name (usually
>       # suricata) will be used.
>       identity: "Suricata"
>       facility: local0
>       level: Debug ## possible levels: Emergency, Alert, Critical,
>                    ## Error, Warning, Notice, Info, Debug
>
>
> It doesn't appear to be using these settings since identity is "Suricata" (capital S) here which isn't seen in the logs.  As it shouldn't since it's not enabled anyways.


Can you enable it here as well, make the same naming changes and see if it makes any difference?


>
> -Paul
>
> -----Original Message-----
> From: Peter Manev [mailto:petermanev at gmail.com]
> Sent: Monday, June 09, 2014 2:18 PM
> To: Gofran, Paul
> Cc: oisf-users at lists.openinfosecfoundation.org
> Subject: Re: EXTERNAL: Re: [Oisf-users] EVE-Log identity, facility, 
> level
>
> On Mon, Jun 9, 2014 at 7:58 PM, Gofran, Paul <paul.gofran at lmco.com> wrote:
>> Yes.   No matter what I put in the YAML for identity, facility, and level - the logs always come out as "suricata", "local0", and "info" respectively.
>>
>> Is this issue specific to just me?
>
>
> Is your "syslog" section in yaml enabled?
>
>>
>> -Paul
>>
>> -----Original Message-----
>> From: Peter Manev [mailto:petermanev at gmail.com]
>> Sent: Monday, June 09, 2014 1:55 PM
>> To: Gofran, Paul
>> Cc: oisf-users at lists.openinfosecfoundation.org
>> Subject: EXTERNAL: Re: [Oisf-users] EVE-Log identity, facility, level
>>
>> On Mon, Jun 9, 2014 at 6:37 PM, Gofran, Paul <paul.gofran at lmco.com> wrote:
>>> When I use eve-log, the default parameters are always used for 
>>> identity, facility, and level.
>>>
>>>
>>>
>>> ex:
>>>
>>> A configuration of the following:
>>>
>>>   # "United" event log in JSON format
>>>
>>>   - eve-log:
>>>
>>>       enabled: yes
>>>
>>>       #file|syslog|unix_dgram|unix_stream
>>>
>>>       type: syslog
>>>
>>>       # filename: eve.json
>>>
>>>       # the following are valid when type: syslog above
>>>
>>>       identity: "suriEVE" #"suricata"
>>>
>>>       facility: local1
>>>
>>>       level: Debug ## possible levels: Emergency, Alert, Critical,
>>>
>>>                    ## Error, Warning, Notice, Info, Debug
>>>
>>>       types:
>>>
>>>         - alert
>>>
>>>         - http:
>>>
>>>             extended: yes     # enable this for extended logging information
>>>
>>>         - dns
>>>
>>>         - tls:
>>>
>>>             extended: yes     # enable this for extended logging information
>>>
>>>         - files:
>>>
>>>             force-magic: no   # force logging magic on all logged files
>>>
>>>             force-md5: no     # force logging of md5 checksums
>>>
>>>         #- drop
>>>
>>>         - ssh
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> Always results in syslog messages with identity “suricata”, facility 
>>> “local0” and level “Info” in my logs despite my configuration 
>>> settings.  Is this a known issue (didn’t see one on redmine), or am 
>>> I having a configuration mistake or something?
>>>
>>>
>>>
>>> Thanks,
>>>
>>> Paul
>>>
>>>
>>> _______________________________________________
>>> Suricata IDS Users mailing list: 
>>> oisf-users at openinfosecfoundation.org
>>> Site: http://suricata-ids.org | Support:
>>> http://suricata-ids.org/support/
>>> List:
>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>> OISF: http://www.openinfosecfoundation.org/
>>
>> Can you reproduce that consistently?
>>
>> --
>> Regards,
>> Peter Manev
>
>
>
> --
> Regards,
> Peter Manev



--
Regards,
Peter Manev

More information about the Oisf-users mailing list