[Oisf-users] Problems with multiple EVE logging outputs
Brandon Lattin
latt0050 at umn.edu
Thu Jan 29 20:20:03 UTC 2015
I have another box I can test test beta3 on.
Give me about 20 minutes and I'll get back to you.
On Thu, Jan 29, 2015 at 1:42 PM, Jay M. <jskier at gmail.com> wrote:
> Interesting, it may have to do with using the same types multiple
> times. Beta3 fixed a redundancy issue, which isn't exactly related to
> what you're seeing (almost the opposite problem).
>
> Are you able to test beta3 with this? When I have time I can give it a
> shot in my test environment. Looks like a bug report is probably in
> order.
>
> --
> Jay
> jskier at gmail.com
>
>
> On Thu, Jan 29, 2015 at 12:38 PM, Brandon Lattin <latt0050 at umn.edu> wrote:
> > Is anyone successfully using multiple eve json methods?
> >
> > Note that I'm using Suricata 2.1beta2
> >
> > For details see:
> >
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/EveJSONOutput
> >
> > I'm currently attempting to output to both a file and syslog. I'm
> > sidestepping the eve-logging syslog output problems by enabling
> "standard"
> > syslog alert output, which generates redundant alerts, but otherwise
> works
> > to set the facility and identity of eve-log. (See:
> > https://redmine.openinfosecfoundation.org/issues/1204)
> >
> > I'm having no luck. I either get either syslog output or file output,
> > depending on the order of the eve-log entries. Never both. The second
> > eve-log appears to override the first, which is not the behavior I'd
> expect
> > after reading:
> >
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/EveJSONOutput
> >
> > Below are the relevant snippets from the suricata.yaml:
> >
> >
> > outputs:
> > - syslog:
> > enabled: yes
> > # reported identity to syslog. If ommited the program name (usually
> > # suricata) will be used.
> > identity: "suricata"
> > facility: local5
> > level: Info ## possible levels: Emergency, Alert, Critical,
> > ## Error, Warning, Notice, Info, Debug
> >
> > # Extensible Event Format (nicknamed EVE) event log in JSON format
> > - eve-log:
> > enabled: yes
> > type: syslog #file|syslog|unix_dgram|unix_stream
> > # the following are valid when type: syslog above
> > identity: "suricata"
> > facility: local5
> > level: Info ## possible levels: Emergency, Alert, Critical,
> > ## Error, Warning, Notice, Info, Debug
> > types:
> > - alert:
> > payload-printable: yes # enable dumping payload in printable
> > (lossy) format
> >
> > - eve-log:
> > enabled: yes
> > type: file #file|syslog|unix_dgram|unix_stream
> > filename: eve-port1.json
> > # the following are valid when type: syslog above
> > #identity: "suricata"
> > #facility: local5
> > #level: Info ## possible levels: Emergency, Alert, Critical,
> > ## Error, Warning, Notice, Info, Debug
> > types:
> > - alert:
> > payload-printable: yes # enable dumping payload in printable
> > (lossy) format
> >
> >
> >
> > Thanks!
> >
> > --
> > Brandon Lattin
> > Security Analyst
> > University of Minnesota - University Information Security
> > Office: 612-626-6672
> >
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> > List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > Training now available: http://suricata-ids.org/training/
>
--
Brandon Lattin
Security Analyst
University of Minnesota - University Information Security
Office: 612-626-6672
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150129/de738ee6/attachment-0002.html>
More information about the Oisf-users
mailing list