[Oisf-users] Suricata 2.0.8 -->Cannot get logs to SIEM
Jeremy MJ
jskier at gmail.com
Tue Jun 30 15:25:53 UTC 2015
> Or you could just use Splunk with a Splunk Universal Forwarder and just eat the eve.json directly off the sensor ;-P
splunk has worked great with the eve logs for me (indexes JSON very
cleanly), probably similar to logstash as well.
--
Jeremy MJ
On Tue, Jun 30, 2015 at 9:42 AM, Brandon Lattin <latt0050 at umn.edu> wrote:
>
> Ack.
>
> nc is great for backdoors, but not exactly my first choice for production configurations.
>
> Just export it with a specific facility.
>
> rsyslog.conf snippet:
> local5.*;mark.info @foo.bar.com
>
>
> suricata.yaml snippet (note the double syslog config; necessary as eve-log to syslog doesn't do anything without "- syslog:" also configured; someday this will get fixed?) :
>
> - syslog:
> enabled: yes
> # reported identity to syslog. If omitted the program name (usually
> # suricata) will be used.
> identity: "suricata"
> facility: local5
> level: Info ## possible levels: Emergency, Alert, Critical,
> ## Error, Warning, Notice, Info, Debug
>
> # Extensible Event Format (nicknamed EVE) event log in JSON format
> - eve-log:
> append: yes
> enabled: yes
> type: syslog #file|syslog|unix_dgram|unix_stream
> #filename: eve-port0.json
> # the following are valid when type: syslog above
> identity: "suricata"
> facility: local5
> level: Info ## possible levels: Emergency, Alert, Critical,
> ## Error, Warning, Notice, Info, Debug
> types:
> - alert:
> payload: no # enable dumping payload in Base64
> payload-printable: yes # enable dumping payload in printable (lossy) format
> packet: no # enable dumping of packet (without stream segments)
> http: no # enable dumping of http fields
>
>
>
> Or you could just use Splunk with a Splunk Universal Forwarder and just eat the eve.json directly off the sensor ;-P
>
> On Tue, Jun 30, 2015 at 9:29 AM, Oliver Humpage <oliver at watershed.co.uk> wrote:
>>
>>
>> On 30 Jun 2015, at 15:05, chuckpc at yahoo.com wrote:
>>
>> > *.* @172.18.1.155:514
>>
>> If that's sending absolutely everything that gets syslogged to the SIEM, perhaps the SIEM is getting confused?
>>
>> Have you tried getting rsyslog to send the suricata output to a file, and then sending individual lines over to the SIEM using nc(1)? That'd make sure it really was logging the lines you'd expect, and then you can use eg
>>
>> echo '<14>sourcehost LogLine' | nc -u 172.19.1.155 514
>>
>> to see if you can get the SIEM to accept valid lines. Also compare said lines with the output of snort and see if there's a difference.
>>
>> If that works, try limiting what's being sent in rsyslog. If it doesn't work, I'd suspect a config issue in the receiving host.
>>
>> You may have already tried all this of course. I'm afraid I use logstash (and logstash-forwarder) to centralise log collection, so my knowledge of Junipers and rsyslog is limited.
>>
>> Oliver.
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
>
>
>
>
> --
> Brandon Lattin
> Security Analyst
> University of Minnesota - University Information Security
> Office: 612-626-6672
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
More information about the Oisf-users
mailing list