Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata not outputting to Logging server

    IDS/IPS
    1
    2
    293
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      michmoor LAYER 8 Rebel Alliance
      last edited by

      I am testing Suricata alerting with Graylog and im running into an issue on the pfsense which is interesting.
      I have two interfaces set up for Suricata. DMZ and LAN. They are set up similarly in that alerts are sent to the system logs which in turn are sent to the logging server for further processing.

      In order to test my alerts i run the following command from a Linux host on each network

      curl -A "BlackSun" google.com

      On the DMZ client, as expected this generates an alert and i see it show up in GreyLog. I got an email alert and everything is good.
      On the LAN client, i see the alert in the alerts.log file. Suricata sees it. Nothing in GrayLog.

      3588ac38-d5d5-48a8-9fec-8b4f9bcb7de2-image.png

      fc8ef235-9556-48df-8899-2a6be96176b1-image.png

      Yet...Nothing in Graylog. This is what i see on the logging server. DMZ network is 192.168.15.X/24

      711af37a-dc4d-4e8f-a5d8-3f17e00a7aa5-image.png

      I have restarted Suricata on the LAN but no difference.

      Firewall: NetGate,Palo Alto-VM,Juniper SRX
      Routing: Juniper, Arista, Cisco
      Switching: Juniper, Arista, Cisco
      Wireless: Unifi, Aruba IAP
      JNCIP,CCNP Enterprise

      M 1 Reply Last reply Reply Quote 0
      • M
        michmoor LAYER 8 Rebel Alliance @michmoor
        last edited by

        @michmoor FIXED.
        What i did? Unselect the option to send to syslog. Clicked Save.
        Then i received the following message

        EVE Output to syslog requires Suricata alerts to be copied to the system log, so 'Send Alerts to System Log' has been auto-enabled.

        Tested again...Works. Alerts received in the logging server as well as email notification.

        Firewall: NetGate,Palo Alto-VM,Juniper SRX
        Routing: Juniper, Arista, Cisco
        Switching: Juniper, Arista, Cisco
        Wireless: Unifi, Aruba IAP
        JNCIP,CCNP Enterprise

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.