[Oisf-users] Issues with suricata eve.json datagramm logging?

Jason Ish lists at ish.cx
Thu May 25 00:48:57 UTC 2017

On 24/05/17 06:35 PM, Cooper F. Nelson wrote:
> Hi Jason,
> Thanks so much for your help.  Is there a guide anywhere on how to use
> the syslog (vs. datagram) logging?  And whether or not there is any
> benefit to do so?

There is a recent blog post about using syslog-ng, not sure if it will 
fit your use case though:


But I think your end-goal will determine ultimately whats best for you. 
In an environment that generates lots of logs I'd probably opt not to 
use unix_sock or unix_dgram right now. If the receiver can't keep up to 
the pace of events, it could actually cause Suricata to drop packets. 
The next release of Suricata will drop events if the receiver can't keep 
up instead of blocking packets.

But if your syslog daemon is syslog-ng, I'd maybe just try using plain 
old syslog before bothering with the socket, but I don't really have any 
experience with doing that myself.


More information about the Oisf-users mailing list