4. suricata eve json to syslog

suricata eve json to syslog

  • N

    Re: Suricata 2.0.4 pkg v2.1.3 EVE json to syslog doesn't work

    hello everybody, i'm trying to send eve json logs to logstash / elk stack via syslog, in order to avoid to install the unofficial filebeat package on pfsense. it looks that using syslog is the official supported way to ship eve output to an external host at this moment.
    pfsense 2.4.4, suricata 4.0.13_9, interface settings with:
    Send Alerts to System Log: enabled
    EVE JSON Log: enabled
    EVE Output Type: syslog
    EVE Log Alerts: enabled
    EVE Log Alert Payload: both

    i'm using "nmap -sV -p 8081 ipaddress" to trigger alerts. with Log Facility and Log Priority set to LOCAL1 and NOTICE i can see "ET SCAN Possible Nmap User-Agent" alerts in logstash, but they are basic standard syslog messages, additional data like payload etc are missing. if i set Log Facility and Log Priority to AUTH and INFO then no more alerts in logstash.
    could you please confirm that auth and info are still the right syslog setting? i tried others Log Facility and Log Priority combinations with no different results.
    thank you.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy