[Oisf-users] Syslog - fast.log - rsyslog
Tiago Faria
tiago.faria.backups at gmail.com
Wed Apr 11 09:29:28 UTC 2018
Thanks Greg! Makes sense.
Using the following in rsyslog.conf:
input (
type="imfile"
File="/var/log/suricata/fast.log"
Tag="Suricata"
Severity="info"
Facility="local5")
and relaying all facility to the SIEM, with:
*.* @server:514
Should be all I need then. Still, can't seem to get messages from fast.log.
Any tips/pointers appreciated.
Thank you.
On Wed, Apr 11, 2018 at 1:22 AM, Greg Grasmehr <greg.grasmehr at caltech.edu>
wrote:
> AFAIK you either have to configure local rsyslog to monitor the fast.log
> output with imfile and forward it, or do as we do and output to unified2
> file and use Barnyard2 to forward to local5 and config your local
> rsyslog.conf to forward to your remote server
>
> Greg
>
> On 04/10/18 23:29:53, Tiago Faria wrote:
> > Hi list,
> >
> > In a environment where my syslog data is being forwarded to a collector
> (SIEM,
> > for example), previously, I was able to get the output that can be found
> in
> > fast.log from syslog itself (and those messages would end up in the
> SIEM).
> >
> > On my latest test, though, I can’t.
> >
> > Other than specifying the syslog output, is there anything that needs to
> be
> > done so that Suricata also writes to syslog (in this particular case,
> rsyslog)?
> >
> > Thank you.
>
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/
> support/
> > List: https://lists.openinfosecfoundation.org/
> mailman/listinfo/oisf-users
> >
> > Conference: https://suricon.net
> > Trainings: https://suricata-ids.org/training/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180411/5cc629b4/attachment.html>
More information about the Oisf-users
mailing list