[Oisf-users] Rsyslog suppressed messages from suricata

craig at reswob10.net craig at reswob10.net
Mon Jul 1 17:08:34 UTC 2019 

Thanks.  I followed your suggestions and re-enabled the eve-json.  

A co-worker had switched it to the other method and I was trying to
duplicate that person's effort. 

Working now per below. 

Craig 

On 2019-06-30 16:48, Michał Purzyński wrote:

> Can you share you suricata.yml? Ideally Suricata should not write events to syslog, eve-json is best used for that. Take a look here to disable the syslog output 
> 
> https://suricata.readthedocs.io/en/suricata-4.1.4/output/syslog-alerting-comp.html 
> 
> And here to enable the eve-json 
> 
> https://suricata.readthedocs.io/en/suricata-4.1.4/output/eve/index.html 
> 
> We use syslog-ng to pick up messages from the JSON file and ship them to SIEM. 
> 
> On Wed, Jun 19, 2019 at 6:02 AM <craig at reswob10.net> wrote: 
> 
>> Hi, new to suricata.  I have a new install on CentOS 7 running rsyslog 8.24.0-34.el7 and I have suricata 4.1.4 
>> 
>> My problem is it appears rsyslog is blocking writing of events to /var/log/messages because I see no suricata logs, but many of these entries: 
>> 
>> journal: Suppressed 13475 messages from /system.slice/suricata.service  
>> 
>> (the number of suppressed messages changes, but the main message stays the same) 
>> 
>> Is there a particular area of my config I should look at to tweak to fix this? Does this mean I should migrate to a server with more CPU and/or RAM? 
>> 
>> Thanks 
>> 
>> Craig 
>> 
>> My other question is this: is there a way to search the archives?  I went to https://lists.openinfosecfoundation.org/pipermail/oisf-users/ but I didn't see a search capability.... _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> 
>> Conference: https://suricon.net
>> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190701/e9064b9c/attachment.html>

More information about the Oisf-users mailing list