[Oisf-users] Suricata 2.0.8 -->Cannot get logs to SIEM

Oliver Humpage oliver at watershed.co.uk
Tue Jun 30 14:29:56 UTC 2015

On 30 Jun 2015, at 15:05, chuckpc at yahoo.com wrote:

> *.* @

If that's sending absolutely everything that gets syslogged to the SIEM, perhaps the SIEM is getting confused?

Have you tried getting rsyslog to send the suricata output to a file, and then sending individual lines over to the SIEM using nc(1)? That'd make sure it really was logging the lines you'd expect, and then you can use eg

echo '<14>sourcehost LogLine' | nc -u 514

to see if you can get the SIEM to accept valid lines. Also compare said lines with the output of snort and see if there's a difference.

If that works, try limiting what's being sent in rsyslog. If it doesn't work, I'd suspect a config issue in the receiving host.

You may have already tried all this of course. I'm afraid I use logstash (and logstash-forwarder) to centralise log collection, so my knowledge of Junipers and rsyslog is limited.


More information about the Oisf-users mailing list