[Oisf-users] Suricata 2.0.8 -->Cannot get logs to SIEM

Brandon Lattin latt0050 at umn.edu
Tue Jun 30 14:42:18 UTC 2015


nc is great for backdoors, but not exactly my first choice for production

Just export it with a specific facility.

rsyslog.conf snippet:
local5.*;mark.info              @foo.bar.com

suricata.yaml snippet (note the double syslog config; necessary as eve-log
to syslog doesn't do anything without "- syslog:" also configured; someday
this will get fixed?) :

  - syslog:
      enabled: yes
      # reported identity to syslog. If omitted the program name (usually
      # suricata) will be used.
      identity: "suricata"
      facility: local5
      level: Info ## possible levels: Emergency, Alert, Critical,
                   ## Error, Warning, Notice, Info, Debug

  # Extensible Event Format (nicknamed EVE) event log in JSON format
  - eve-log:
      append: yes
      enabled: yes
      type: syslog #file|syslog|unix_dgram|unix_stream
      #filename: eve-port0.json
      # the following are valid when type: syslog above
      identity: "suricata"
      facility: local5
      level: Info ## possible levels: Emergency, Alert, Critical,
                   ## Error, Warning, Notice, Info, Debug
        - alert:
            payload: no           # enable dumping payload in Base64
            payload-printable: yes # enable dumping payload in printable
(lossy) format
            packet: no            # enable dumping of packet (without
stream segments)
            http: no              # enable dumping of http fields

Or you could just use Splunk with a Splunk Universal Forwarder and just eat
the eve.json directly off the sensor ;-P

On Tue, Jun 30, 2015 at 9:29 AM, Oliver Humpage <oliver at watershed.co.uk>

> On 30 Jun 2015, at 15:05, chuckpc at yahoo.com wrote:
> > *.* @
> If that's sending absolutely everything that gets syslogged to the SIEM,
> perhaps the SIEM is getting confused?
> Have you tried getting rsyslog to send the suricata output to a file, and
> then sending individual lines over to the SIEM using nc(1)? That'd make
> sure it really was logging the lines you'd expect, and then you can use eg
> echo '<14>sourcehost LogLine' | nc -u 514
> to see if you can get the SIEM to accept valid lines. Also compare said
> lines with the output of snort and see if there's a difference.
> If that works, try limiting what's being sent in rsyslog. If it doesn't
> work, I'd suspect a config issue in the receiving host.
> You may have already tried all this of course. I'm afraid I use logstash
> (and logstash-forwarder) to centralise log collection, so my knowledge of
> Junipers and rsyslog is limited.
> Oliver.
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona:
> http://oisfevents.net

Brandon Lattin
Security Analyst
University of Minnesota - University Information Security
Office: 612-626-6672
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150630/18754ecd/attachment-0002.html>

More information about the Oisf-users mailing list