Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to get Suricata logs into Graylog?

    Scheduled Pinned Locked Moved
    IDS/IPS
    logging pfsense suricata
    2
    3
    2.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      logan5247
      last edited by logan5247

      I'm running pfSense 2.4.5-RELEASE-p1 on an APU2D4 at home.

      I have already configured my firewall logs to go to Graylog and that is working. In my syslog settings under Status --> System Logs --> Settings, I have set:
      Screenshot_2020-12-16 pfsense internal loganmarchione xyz - Status System Logs Settings.png

      I have Suricata running on my LAN interface and I can see alerts on the Alerts page. Now I'm trying to send Suricata alerts to Graylog as well. In my mind, I thought if I sent Suricata logs to syslog, they would just get sent to Graylog. In my Suricata settings for the LAN interface, I have set:
      Screenshot_2020-12-16 pfsense internal loganmarchione xyz - Services Suricata Edit Interface Settings - LAN.png

      I'm not seeing anything other than my normal firewall traffic in Graylog? Do I need to change LOCAL1 to SYSLOG, or do I need to check a different category in the remote logging options section?

      kiokomanK 1 Reply Last reply Reply Quote 0
      • kiokomanK
        kiokoman LAYER 8 @logan5247
        last edited by

        @logan5247
        you need "System Events"

        ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
        Please do not use chat/PM to ask for help
        we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
        Don't forget to Upvote with the 👍 button for any post you find to be helpful.

        L 1 Reply Last reply Reply Quote 0
        • L
          logan5247 @kiokoman
          last edited by

          @kiokoman Ugh, thank you! Working now!

          1 Reply Last reply Reply Quote 0
          • First post
            Last post