Suricata - send logs to remote syslog server including payload in the msg without barnyard2
-
Hi,
I see that in the new versions of pfsense barnyard2 is not included anymore, i would like to ask if there is an option to send suricata alerts with payload included to to a remote syslog server without barnyard2?
-
There is an option to send Suricata alerts to syslog (the pfSense system log). There is no direct remote syslog option within Suricata itself. The upstream package does not support that either best I recall. But you can configure pfSense to send its logs to a remote syslog server.
However, syslog on pfSense will- by default- truncate all messages to a max of 480 bytes. That is usually not big enough to fully capture payload info.
Most users that are serious about obtaining logging data from Suricata stand up an ELK or Graylog setup on a third host. Then configure Suricata to log to EVE JSON format and use a third-party process to export those logs off the pfSense box to a remote host. Something like the filebeat package on FreeBSD. Here are some examples:
- https://www.diaryfolio.com/2020/07/elastic-beats-on-pfsense-installation.html.
- https://docs.logz.io/shipping/security-sources/pfsense.html.
- https://psychogun.github.io/docs/linux/ELK-stack-on-Ubuntu-with-pfSense/.
There are many other examples available if you search Google with "filebeat pfSense" or "elk pfSense", etc.
