[Oisf-users] Problems with multiple EVE logging outputs

Jay M. jskier at gmail.com
Thu Jan 29 19:42:10 UTC 2015


Interesting, it may have to do with using the same types multiple
times. Beta3 fixed a redundancy issue, which isn't exactly related to
what you're seeing (almost the opposite problem).

Are you able to test beta3 with this? When I have time I can give it a
shot in my test environment. Looks like a bug report is probably in
order.

--
Jay
jskier at gmail.com


On Thu, Jan 29, 2015 at 12:38 PM, Brandon Lattin <latt0050 at umn.edu> wrote:
> Is anyone successfully using multiple eve json methods?
>
> Note that I'm using Suricata 2.1beta2
>
> For details see:
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/EveJSONOutput
>
> I'm currently attempting to output to both a file and syslog. I'm
> sidestepping the eve-logging syslog output problems by enabling "standard"
> syslog alert output, which generates redundant alerts, but otherwise works
> to set the facility and identity of eve-log. (See:
> https://redmine.openinfosecfoundation.org/issues/1204)
>
> I'm having no luck. I either get either syslog output or file output,
> depending on the order of the eve-log entries. Never both. The second
> eve-log appears to override the first, which is not the behavior I'd expect
> after reading:
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/EveJSONOutput
>
> Below are the relevant snippets from the suricata.yaml:
>
>
> outputs:
>   - syslog:
>       enabled: yes
>       # reported identity to syslog. If ommited the program name (usually
>       # suricata) will be used.
>       identity: "suricata"
>       facility: local5
>       level: Info ## possible levels: Emergency, Alert, Critical,
>       ## Error, Warning, Notice, Info, Debug
>
>   # Extensible Event Format (nicknamed EVE) event log in JSON format
>   - eve-log:
>       enabled: yes
>       type: syslog #file|syslog|unix_dgram|unix_stream
>       # the following are valid when type: syslog above
>       identity: "suricata"
>       facility: local5
>       level: Info ## possible levels: Emergency, Alert, Critical,
>                    ## Error, Warning, Notice, Info, Debug
>       types:
>         - alert:
>              payload-printable: yes # enable dumping payload in printable
> (lossy) format
>
>   - eve-log:
>       enabled: yes
>       type: file #file|syslog|unix_dgram|unix_stream
>       filename: eve-port1.json
>       # the following are valid when type: syslog above
>       #identity: "suricata"
>       #facility: local5
>       #level: Info ## possible levels: Emergency, Alert, Critical,
>                    ## Error, Warning, Notice, Info, Debug
>       types:
>         - alert:
>              payload-printable: yes # enable dumping payload in printable
> (lossy) format
>
>
>
> Thanks!
>
> --
> Brandon Lattin
> Security Analyst
> University of Minnesota - University Information Security
> Office: 612-626-6672
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/



More information about the Oisf-users mailing list