Suricata logs

Danil 0

Is it possible to disable repeatedly logs from suricata to main log?

For example, i have only one line on suricata log.
Hi,

If attacker repeated attempt, i have more line on main firewall log

Also i have disable Log to System Log.

Thanks for help.

bmeeks

@Danil-0 said in Suricata logs:

Is it possible to disable repeatedly logs from suricata to main log?

For example, i have only one line on suricata log.
Hi,

If attacker repeated attempt, i have more line on main firewall log

Also i have disable Log to System Log.

Thanks for help.

Suricata does not put those entries in the System Log that you marked. Those are from the pf firewall engine itself. It's logging traffic hitting the built-in rule that exists for the snort2c pf table that is used to implement Suricata blocking (and Snort, if that package is installed). Suricata does not, and cannot, log to the firewall log tab. It can only log to the system tab.

Suricata "blocks" by adding IP addresses to a pre-existing pf firewall engine table. pfSense creates a built-in rule automatically each time it builds the firewall rules that blocks IP addresses added to the snort2c table.

You should not see these logged entries if you enable the option to "do not log default rules" in the Settings tab of the System Logs tab of pfSense.