suricata eve json to syslog



  • Re: Suricata 2.0.4 pkg v2.1.3 EVE json to syslog doesn't work

    hello everybody, i'm trying to send eve json logs to logstash / elk stack via syslog, in order to avoid to install the unofficial filebeat package on pfsense. it looks that using syslog is the official supported way to ship eve output to an external host at this moment.
    pfsense 2.4.4, suricata 4.0.13_9, interface settings with:
    Send Alerts to System Log: enabled
    EVE JSON Log: enabled
    EVE Output Type: syslog
    EVE Log Alerts: enabled
    EVE Log Alert Payload: both

    i'm using "nmap -sV -p 8081 ipaddress" to trigger alerts. with Log Facility and Log Priority set to LOCAL1 and NOTICE i can see "ET SCAN Possible Nmap User-Agent" alerts in logstash, but they are basic standard syslog messages, additional data like payload etc are missing. if i set Log Facility and Log Priority to AUTH and INFO then no more alerts in logstash.
    could you please confirm that auth and info are still the right syslog setting? i tried others Log Facility and Log Priority combinations with no different results.
    thank you.