[Oisf-users] Problems with multiple EVE logging outputs
Brandon Lattin
latt0050 at umn.edu
Thu Jan 29 18:38:29 UTC 2015
Is anyone successfully using multiple eve json methods?
Note that I'm using Suricata 2.1beta2
For details see:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/EveJSONOutput
I'm currently attempting to output to both a file and syslog. I'm
sidestepping the eve-logging syslog output problems by enabling "standard"
syslog alert output, which generates redundant alerts, but otherwise works
to set the facility and identity of eve-log. (See:
https://redmine.openinfosecfoundation.org/issues/1204)
I'm having no luck. I either get either syslog output or file output,
depending on the order of the eve-log entries. Never both. The second
eve-log appears to override the first, which is not the behavior I'd expect
after reading:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/EveJSONOutput
Below are the relevant snippets from the suricata.yaml:
outputs:
- syslog:
enabled: yes
# reported identity to syslog. If ommited the program name (usually
# suricata) will be used.
identity: "suricata"
facility: local5
level: Info ## possible levels: Emergency, Alert, Critical,
## Error, Warning, Notice, Info, Debug
# Extensible Event Format (nicknamed EVE) event log in JSON format
- eve-log:
enabled: yes
type: syslog #file|syslog|unix_dgram|unix_stream
# the following are valid when type: syslog above
identity: "suricata"
facility: local5
level: Info ## possible levels: Emergency, Alert, Critical,
## Error, Warning, Notice, Info, Debug
types:
- alert:
payload-printable: yes # enable dumping payload in printable
(lossy) format
- eve-log:
enabled: yes
type: file #file|syslog|unix_dgram|unix_stream
filename: eve-port1.json
# the following are valid when type: syslog above
#identity: "suricata"
#facility: local5
#level: Info ## possible levels: Emergency, Alert, Critical,
## Error, Warning, Notice, Info, Debug
types:
- alert:
payload-printable: yes # enable dumping payload in printable
(lossy) format
Thanks!
--
Brandon Lattin
Security Analyst
University of Minnesota - University Information Security
Office: 612-626-6672
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150129/372188d7/attachment.html>
More information about the Oisf-users
mailing list