[Oisf-users] EXTERNAL: Re: EVE-Log identity, facility, level

Gofran, Paul paul.gofran at lmco.com
Mon Jun 9 21:37:53 UTC 2014

Thanks, I just submitted #1204.  Please let me know if any more information is required.


From: Tom DeCanio [mailto:decanio.tom at gmail.com]
Sent: Monday, June 09, 2014 5:36 PM
To: Peter Manev
Cc: Gofran, Paul; oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] EXTERNAL: Re: EVE-Log identity, facility, level

I'll fix this one.  It looks like I left out some of the config that I had intended.

On Mon, Jun 9, 2014 at 2:03 PM, Peter Manev <petermanev at gmail.com<mailto:petermanev at gmail.com>> wrote:
On Mon, Jun 9, 2014 at 9:58 PM, Gofran, Paul <paul.gofran at lmco.com<mailto:paul.gofran at lmco.com>> wrote:
> Peter, I enabled the syslog section and did see the identity and facility change for my log messages.  The level still came out as "info" always though.  I tried the following options for level:  Debug, debug, "Debug", and "debug".   All came out as info.
> So correct me if I'm wrong but are there 3 related issues here?
> 1) The eve-log parameters identity, facility, and level don't effect anything.  It didn't matter if I made these the same as the syslog section or different, they didn't take effect.
> 2) The syslog section is not just for alerts and the identity, facility, and level parameters effect eve-log when it's in syslog mode.
> 3) The level parameter is not working
> I'll be happy to try out any other test configurations if you have any other ideas.  If these are actual issues let me know if you want me to submit a bug.  Thanks for the help.
> -Paul
Could you open a ticket for this one actually?
I think eve.json should be able to make those changes without being
dependent if syslog is enabled further down in the section.


Peter Manev
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org<mailto:oisf-users at openinfosecfoundation.org>
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
OISF: http://www.openinfosecfoundation.org/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140609/de0eb9be/attachment-0002.html>

More information about the Oisf-users mailing list