[Oisf-users] Problems with multiple EVE logging outputs

Victor Julien lists at inliniac.net
Thu Jan 29 21:14:10 UTC 2015 

On 01/29/2015 10:12 PM, Brandon Lattin wrote:
> I'm seeing the same behavior in 2.1beta3.
> 
> Multiple eve-log outputs do not appear to work. Whichever eve-log type
> is processed second is the only active output.

Multiple file outputs may work, but there is something in the syslog
part that overrides the other one iirc, still need to look at it (and fix).

Cheers,
Victor

> On Thu, Jan 29, 2015 at 2:20 PM, Brandon Lattin <latt0050 at umn.edu
> <mailto:latt0050 at umn.edu>> wrote:
> 
>     I have another box I can test test beta3 on.
> 
>     Give me about 20 minutes and I'll get back to you.
> 
>     On Thu, Jan 29, 2015 at 1:42 PM, Jay M. <jskier at gmail.com
>     <mailto:jskier at gmail.com>> wrote:
> 
>         Interesting, it may have to do with using the same types multiple
>         times. Beta3 fixed a redundancy issue, which isn't exactly
>         related to
>         what you're seeing (almost the opposite problem).
> 
>         Are you able to test beta3 with this? When I have time I can
>         give it a
>         shot in my test environment. Looks like a bug report is probably in
>         order.
> 
>         --
>         Jay
>         jskier at gmail.com <mailto:jskier at gmail.com>
> 
> 
>         On Thu, Jan 29, 2015 at 12:38 PM, Brandon Lattin
>         <latt0050 at umn.edu <mailto:latt0050 at umn.edu>> wrote:
>         > Is anyone successfully using multiple eve json methods?
>         >
>         > Note that I'm using Suricata 2.1beta2
>         >
>         > For details see:
>         >
>         https://redmine.openinfosecfoundation.org/projects/suricata/wiki/EveJSONOutput
>         >
>         > I'm currently attempting to output to both a file and syslog. I'm
>         > sidestepping the eve-logging syslog output problems by
>         enabling "standard"
>         > syslog alert output, which generates redundant alerts, but
>         otherwise works
>         > to set the facility and identity of eve-log. (See:
>         > https://redmine.openinfosecfoundation.org/issues/1204)
>         >
>         > I'm having no luck. I either get either syslog output or file
>         output,
>         > depending on the order of the eve-log entries. Never both. The
>         second
>         > eve-log appears to override the first, which is not the
>         behavior I'd expect
>         > after reading:
>         >
>         https://redmine.openinfosecfoundation.org/projects/suricata/wiki/EveJSONOutput
>         >
>         > Below are the relevant snippets from the suricata.yaml:
>         >
>         >
>         > outputs:
>         >   - syslog:
>         >       enabled: yes
>         >       # reported identity to syslog. If ommited the program
>         name (usually
>         >       # suricata) will be used.
>         >       identity: "suricata"
>         >       facility: local5
>         >       level: Info ## possible levels: Emergency, Alert, Critical,
>         >       ## Error, Warning, Notice, Info, Debug
>         >
>         >   # Extensible Event Format (nicknamed EVE) event log in JSON
>         format
>         >   - eve-log:
>         >       enabled: yes
>         >       type: syslog #file|syslog|unix_dgram|unix_stream
>         >       # the following are valid when type: syslog above
>         >       identity: "suricata"
>         >       facility: local5
>         >       level: Info ## possible levels: Emergency, Alert, Critical,
>         >                    ## Error, Warning, Notice, Info, Debug
>         >       types:
>         >         - alert:
>         >              payload-printable: yes # enable dumping payload
>         in printable
>         > (lossy) format
>         >
>         >   - eve-log:
>         >       enabled: yes
>         >       type: file #file|syslog|unix_dgram|unix_stream
>         >       filename: eve-port1.json
>         >       # the following are valid when type: syslog above
>         >       #identity: "suricata"
>         >       #facility: local5
>         >       #level: Info ## possible levels: Emergency, Alert, Critical,
>         >                    ## Error, Warning, Notice, Info, Debug
>         >       types:
>         >         - alert:
>         >              payload-printable: yes # enable dumping payload
>         in printable
>         > (lossy) format
>         >
>         >
>         >
>         > Thanks!
>         >
>         > --
>         > Brandon Lattin
>         > Security Analyst
>         > University of Minnesota - University Information Security
>         > Office: 612-626-6672 <tel:612-626-6672>
>         >
>         > _______________________________________________
>         > Suricata IDS Users mailing list:
>         oisf-users at openinfosecfoundation.org
>         <mailto:oisf-users at openinfosecfoundation.org>
>         > Site: http://suricata-ids.org | Support:
>         http://suricata-ids.org/support/
>         > List:
>         https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>         > Training now available: http://suricata-ids.org/training/
> 
> 
> 
> 
>     -- 
>     Brandon Lattin
>     Security Analyst
>     University of Minnesota - University Information Security
>     Office: 612-626-6672 <tel:612-626-6672>
> 
> 
> 
> 
> -- 
> Brandon Lattin
> Security Analyst
> University of Minnesota - University Information Security
> Office: 612-626-6672
> 
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list