[Oisf-users] Rsyslog suppressed messages from suricata
Michał Purzyński
michalpurzynski1 at gmail.com
Sun Jun 30 20:48:15 UTC 2019
Can you share you suricata.yml? Ideally Suricata should not write events to
syslog, eve-json is best used for that. Take a look here to disable the
syslog output
https://suricata.readthedocs.io/en/suricata-4.1.4/output/syslog-alerting-comp.html
And here to enable the eve-json
https://suricata.readthedocs.io/en/suricata-4.1.4/output/eve/index.html
We use syslog-ng to pick up messages from the JSON file and ship them to
SIEM.
On Wed, Jun 19, 2019 at 6:02 AM <craig at reswob10.net> wrote:
>
> Hi, new to suricata. I have a new install on CentOS 7 running rsyslog
> 8.24.0-34.el7 and I have suricata 4.1.4
>
>
> My problem is it appears rsyslog is blocking writing of events to
> /var/log/messages because I see no suricata logs, but many of these entries:
>
> journal: Suppressed 13475 messages from /system.slice/suricata.service
>
> (the number of suppressed messages changes, but the main message stays the
> same)
>
>
> Is there a particular area of my config I should look at to tweak to fix
> this? Does this mean I should migrate to a server with more CPU and/or RAM?
>
> Thanks
>
> Craig
>
>
> My other question is this: is there a way to search the archives? I went
> to https://lists.openinfosecfoundation.org/pipermail/oisf-users/ but I
> didn't see a search capability....
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190630/db7f3ce0/attachment.html>
More information about the Oisf-users
mailing list