4. suricata eve json to syslog

suricata eve json to syslog

  • N

    Re: Suricata 2.0.4 pkg v2.1.3 EVE json to syslog doesn't work

    hello everybody, i'm trying to send eve json logs to logstash / elk stack via syslog, in order to avoid to install the unofficial filebeat package on pfsense. it looks that using syslog is the official supported way to ship eve output to an external host at this moment.
    pfsense 2.4.4, suricata 4.0.13_9, interface settings with:
    Send Alerts to System Log: enabled
    EVE JSON Log: enabled
    EVE Output Type: syslog
    EVE Log Alerts: enabled
    EVE Log Alert Payload: both

    i'm using "nmap -sV -p 8081 ipaddress" to trigger alerts. with Log Facility and Log Priority set to LOCAL1 and NOTICE i can see "ET SCAN Possible Nmap User-Agent" alerts in logstash, but they are basic standard syslog messages, additional data like payload etc are missing. if i set Log Facility and Log Priority to AUTH and INFO then no more alerts in logstash.
    could you please confirm that auth and info are still the right syslog setting? i tried others Log Facility and Log Priority combinations with no different results.
    thank you.

    0
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy