[Oisf-users] Problems with multiple EVE logging outputs

Brandon Lattin latt0050 at umn.edu
Thu Jan 29 18:38:29 UTC 2015 

Is anyone successfully using multiple eve json methods?

Note that I'm using Suricata 2.1beta2

For details see:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/EveJSONOutput

I'm currently attempting to output to both a file and syslog. I'm
sidestepping the eve-logging syslog output problems by enabling "standard"
syslog alert output, which generates redundant alerts, but otherwise works
to set the facility and identity of eve-log. (See:
https://redmine.openinfosecfoundation.org/issues/1204)

I'm having no luck. I either get either syslog output or file output,
depending on the order of the eve-log entries. Never both. The second
eve-log appears to override the first, which is not the behavior I'd expect
after reading:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/EveJSONOutput

Below are the relevant snippets from the suricata.yaml:


outputs:
  - syslog:
      enabled: yes
      # reported identity to syslog. If ommited the program name (usually
      # suricata) will be used.
      identity: "suricata"
      facility: local5
      level: Info ## possible levels: Emergency, Alert, Critical,
      ## Error, Warning, Notice, Info, Debug

  # Extensible Event Format (nicknamed EVE) event log in JSON format
  - eve-log:
      enabled: yes
      type: syslog #file|syslog|unix_dgram|unix_stream
      # the following are valid when type: syslog above
      identity: "suricata"
      facility: local5
      level: Info ## possible levels: Emergency, Alert, Critical,
                   ## Error, Warning, Notice, Info, Debug
      types:
        - alert:
             payload-printable: yes # enable dumping payload in printable
(lossy) format

  - eve-log:
      enabled: yes
      type: file #file|syslog|unix_dgram|unix_stream
      filename: eve-port1.json
      # the following are valid when type: syslog above
      #identity: "suricata"
      #facility: local5
      #level: Info ## possible levels: Emergency, Alert, Critical,
                   ## Error, Warning, Notice, Info, Debug
      types:
        - alert:
             payload-printable: yes # enable dumping payload in printable
(lossy) format



Thanks!

-- 
Brandon Lattin
Security Analyst
University of Minnesota - University Information Security
Office: 612-626-6672
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150129/372188d7/attachment.html>

More information about the Oisf-users mailing list