[Oisf-users] Suricata 2.0.8 -->Cannot get logs to SIEM
Oliver Humpage
oliver at watershed.co.uk
Tue Jun 30 14:29:56 UTC 2015
On 30 Jun 2015, at 15:05, chuckpc at yahoo.com wrote:
> *.* @172.18.1.155:514
If that's sending absolutely everything that gets syslogged to the SIEM, perhaps the SIEM is getting confused?
Have you tried getting rsyslog to send the suricata output to a file, and then sending individual lines over to the SIEM using nc(1)? That'd make sure it really was logging the lines you'd expect, and then you can use eg
echo '<14>sourcehost LogLine' | nc -u 172.19.1.155 514
to see if you can get the SIEM to accept valid lines. Also compare said lines with the output of snort and see if there's a difference.
If that works, try limiting what's being sent in rsyslog. If it doesn't work, I'd suspect a config issue in the receiving host.
You may have already tried all this of course. I'm afraid I use logstash (and logstash-forwarder) to centralise log collection, so my knowledge of Junipers and rsyslog is limited.
Oliver.
More information about the Oisf-users
mailing list