[Oisf-users] Problems with multiple EVE logging outputs

Brandon Lattin latt0050 at umn.edu
Thu Jan 29 21:12:05 UTC 2015


I'm seeing the same behavior in 2.1beta3.

Multiple eve-log outputs do not appear to work. Whichever eve-log type is
processed second is the only active output.

On Thu, Jan 29, 2015 at 2:20 PM, Brandon Lattin <latt0050 at umn.edu> wrote:

> I have another box I can test test beta3 on.
>
> Give me about 20 minutes and I'll get back to you.
>
> On Thu, Jan 29, 2015 at 1:42 PM, Jay M. <jskier at gmail.com> wrote:
>
>> Interesting, it may have to do with using the same types multiple
>> times. Beta3 fixed a redundancy issue, which isn't exactly related to
>> what you're seeing (almost the opposite problem).
>>
>> Are you able to test beta3 with this? When I have time I can give it a
>> shot in my test environment. Looks like a bug report is probably in
>> order.
>>
>> --
>> Jay
>> jskier at gmail.com
>>
>>
>> On Thu, Jan 29, 2015 at 12:38 PM, Brandon Lattin <latt0050 at umn.edu>
>> wrote:
>> > Is anyone successfully using multiple eve json methods?
>> >
>> > Note that I'm using Suricata 2.1beta2
>> >
>> > For details see:
>> >
>> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/EveJSONOutput
>> >
>> > I'm currently attempting to output to both a file and syslog. I'm
>> > sidestepping the eve-logging syslog output problems by enabling
>> "standard"
>> > syslog alert output, which generates redundant alerts, but otherwise
>> works
>> > to set the facility and identity of eve-log. (See:
>> > https://redmine.openinfosecfoundation.org/issues/1204)
>> >
>> > I'm having no luck. I either get either syslog output or file output,
>> > depending on the order of the eve-log entries. Never both. The second
>> > eve-log appears to override the first, which is not the behavior I'd
>> expect
>> > after reading:
>> >
>> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/EveJSONOutput
>> >
>> > Below are the relevant snippets from the suricata.yaml:
>> >
>> >
>> > outputs:
>> >   - syslog:
>> >       enabled: yes
>> >       # reported identity to syslog. If ommited the program name
>> (usually
>> >       # suricata) will be used.
>> >       identity: "suricata"
>> >       facility: local5
>> >       level: Info ## possible levels: Emergency, Alert, Critical,
>> >       ## Error, Warning, Notice, Info, Debug
>> >
>> >   # Extensible Event Format (nicknamed EVE) event log in JSON format
>> >   - eve-log:
>> >       enabled: yes
>> >       type: syslog #file|syslog|unix_dgram|unix_stream
>> >       # the following are valid when type: syslog above
>> >       identity: "suricata"
>> >       facility: local5
>> >       level: Info ## possible levels: Emergency, Alert, Critical,
>> >                    ## Error, Warning, Notice, Info, Debug
>> >       types:
>> >         - alert:
>> >              payload-printable: yes # enable dumping payload in
>> printable
>> > (lossy) format
>> >
>> >   - eve-log:
>> >       enabled: yes
>> >       type: file #file|syslog|unix_dgram|unix_stream
>> >       filename: eve-port1.json
>> >       # the following are valid when type: syslog above
>> >       #identity: "suricata"
>> >       #facility: local5
>> >       #level: Info ## possible levels: Emergency, Alert, Critical,
>> >                    ## Error, Warning, Notice, Info, Debug
>> >       types:
>> >         - alert:
>> >              payload-printable: yes # enable dumping payload in
>> printable
>> > (lossy) format
>> >
>> >
>> >
>> > Thanks!
>> >
>> > --
>> > Brandon Lattin
>> > Security Analyst
>> > University of Minnesota - University Information Security
>> > Office: 612-626-6672
>> >
>> > _______________________________________________
>> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> > Site: http://suricata-ids.org | Support:
>> http://suricata-ids.org/support/
>> > List:
>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> > Training now available: http://suricata-ids.org/training/
>>
>
>
>
> --
> Brandon Lattin
> Security Analyst
> University of Minnesota - University Information Security
> Office: 612-626-6672
>



-- 
Brandon Lattin
Security Analyst
University of Minnesota - University Information Security
Office: 612-626-6672
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150129/3aceb22a/attachment-0002.html>


More information about the Oisf-users mailing list