[Oisf-users] Problems with multiple EVE logging outputs
Jay M.
jskier at gmail.com
Thu Jan 29 19:42:10 UTC 2015
Interesting, it may have to do with using the same types multiple
times. Beta3 fixed a redundancy issue, which isn't exactly related to
what you're seeing (almost the opposite problem).
Are you able to test beta3 with this? When I have time I can give it a
shot in my test environment. Looks like a bug report is probably in
order.
--
Jay
jskier at gmail.com
On Thu, Jan 29, 2015 at 12:38 PM, Brandon Lattin <latt0050 at umn.edu> wrote:
> Is anyone successfully using multiple eve json methods?
>
> Note that I'm using Suricata 2.1beta2
>
> For details see:
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/EveJSONOutput
>
> I'm currently attempting to output to both a file and syslog. I'm
> sidestepping the eve-logging syslog output problems by enabling "standard"
> syslog alert output, which generates redundant alerts, but otherwise works
> to set the facility and identity of eve-log. (See:
> https://redmine.openinfosecfoundation.org/issues/1204)
>
> I'm having no luck. I either get either syslog output or file output,
> depending on the order of the eve-log entries. Never both. The second
> eve-log appears to override the first, which is not the behavior I'd expect
> after reading:
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/EveJSONOutput
>
> Below are the relevant snippets from the suricata.yaml:
>
>
> outputs:
> - syslog:
> enabled: yes
> # reported identity to syslog. If ommited the program name (usually
> # suricata) will be used.
> identity: "suricata"
> facility: local5
> level: Info ## possible levels: Emergency, Alert, Critical,
> ## Error, Warning, Notice, Info, Debug
>
> # Extensible Event Format (nicknamed EVE) event log in JSON format
> - eve-log:
> enabled: yes
> type: syslog #file|syslog|unix_dgram|unix_stream
> # the following are valid when type: syslog above
> identity: "suricata"
> facility: local5
> level: Info ## possible levels: Emergency, Alert, Critical,
> ## Error, Warning, Notice, Info, Debug
> types:
> - alert:
> payload-printable: yes # enable dumping payload in printable
> (lossy) format
>
> - eve-log:
> enabled: yes
> type: file #file|syslog|unix_dgram|unix_stream
> filename: eve-port1.json
> # the following are valid when type: syslog above
> #identity: "suricata"
> #facility: local5
> #level: Info ## possible levels: Emergency, Alert, Critical,
> ## Error, Warning, Notice, Info, Debug
> types:
> - alert:
> payload-printable: yes # enable dumping payload in printable
> (lossy) format
>
>
>
> Thanks!
>
> --
> Brandon Lattin
> Security Analyst
> University of Minnesota - University Information Security
> Office: 612-626-6672
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/
More information about the Oisf-users
mailing list