Suricata 2.0.4 pkg v2.1.3 EVE json to syslog doesn't work
-
Anybody that could give me a hint how to forward the suricata EVE json files from pfSense to an external syslog server? :(
Thank in advance :)
-
https://forum.pfsense.org/index.php?topic=6.msg470730#msg470730
-
Many thanks for your answer and your time :)
I read the link you posted, I just don't understand why there's the option in Suricata to output the EVE json log to the local pfSense syslog server and I don't see the actual output in "Status -> System logs -> System -> General" :( Where am I wrong?
-
Many thanks for your answer and your time :)
I read the link you posted, I just don't understand why there's the option in Suricata to output the EVE json log to the local pfSense syslog server and I don't see the actual output in "Status -> System logs -> System -> General" :( Where am I wrong?
You will need to alter the default Log Level and Log Facility. pfSense does its own syslog-type filtering and scatters logged events across several log files based on facility and level. It's been a while, but I think you can try LOG_AUTH for the facility and LOG_INFO for level and see if that won't put the data into the system log. Each time you change the Suricata setting, you will need to restart Suricata on that interface.
EDIT: As BBcan177 noted with his link above, I am creating a logstash-forwarder package for submittal to the pfSense Team. If they approve, then you can use the new package to send Suricata and other firewall logs to an ELK (Elasticsearch Logstash Kibana) setup.
Bill
-
Many thanks, much appreciated :)
I tried with auth/info as well as auth/alert, authpriv/alert, kern/alert. No EVE json string has been printed :( This is so weird, am I wrong somewhere? :(
-
Many thanks, much appreciated :)
I tried with auth/info as well as auth/alert, authpriv/alert, kern/alert. No EVE json string has been printed :( This is so weird, am I wrong somewhere? :(
I will need to find some time and test this myself. I think I briefly verified that it worked way back when I first added the option to the package, but to be honest I am not 100% positive about testing it. I added a lot of functionality at that time and was doing a lot of testing back and forth. I could have missed that particular option.
Bill
-
OK. Got this to work by also checking the "Send Alerts to System Log" checkbox in the Logging Settings section of the INTERFACE SETTINGS tab.
For both options you will need to set the Log Facility to auth and the Log Level to info in the corresponding drop-down boxes. After saving the changes, restart Suricata on the interface.
Suricata does not seem to initialize syslog output at all unless the "Send Alerts to System Log" option is also enabled. Apparently this is what loads the syslog output module that the EVE JSON output to syslog is dependent upon.
NOTE: be prepared and expect your system log ouput formatting to be weird when viewed from the Status > System Log menu. This is a consequence of the way JSON output is formatted.
Bill
-
You are THE man! Dude, you made it! This is awesome, thank you very much!! I didn't know what else I could try to make it working! ;D
Whatever I can do to help you, please let me know - I owe you a beer! :)As soon as I set up an ELK server I'll get in touch with you again so that I can stress-test your close-to-release package :)
Again, thank you very much!
Best regards
-
You are THE man! Dude, you made it! This is awesome, thank you very much!! I didn't know what else I could try to make it working! ;D
Whatever I can do to help you, please let me know - I owe you a beer! :)As soon as I set up an ELK server I'll get in touch with you again so that I can stress-test your close-to-release package :)
Again, thank you very much!
Best regards
You are welcome. Next time I make some GUI code updates to the package, I will tie the EVE JSON syslog output toggle to the output alerts to system log toggle so it is auto-enabled (if not already) when you choose EVE JSON output to syslog.
Bill
-
Hi guys maybe could you help me…
I'm trying to send BOTH syslog and suricata logs to the SAME elks server.
Actually, thanks to abundant online documantation and howtos I managed to got my pfsense devices centrally monitored on an elks server.The problem I'm facing is that I cannot get suricata working on that same server...
I dont know or I didnt find how to tell logstash that a combined syslog / suricata flow will arrive to the tcp input.Actually, I got a pauir of input listening on tcp/udp 514 port, type syslog, and it reads log good as they arrive.
But, how to add type suricata + codec json on the same listening ports?Alternatively, I do not know how to make suricata to send their logs on a separate port (I'm using your setup, whre I'm trying to use the same pfsense syslog flow to the remote syslog server).
Could you give me some clue?
Tnaks in advance, best regards -
Morning,
any update on that package?
As BBcan177 noted with his link above, I am creating a logstash-forwarder package for submittal to the pfSense Team. If they approve, then you can use the new package to send Suricata and other firewall logs to an ELK (Elasticsearch Logstash Kibana) setup.
Thanks,
