Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    suricata eve json to syslog

    Scheduled Pinned Locked Moved IDS/IPS
    1 Posts 1 Posters 903 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      newtime
      last edited by

      Re: Suricata 2.0.4 pkg v2.1.3 EVE json to syslog doesn't work

      hello everybody, i'm trying to send eve json logs to logstash / elk stack via syslog, in order to avoid to install the unofficial filebeat package on pfsense. it looks that using syslog is the official supported way to ship eve output to an external host at this moment.
      pfsense 2.4.4, suricata 4.0.13_9, interface settings with:
      Send Alerts to System Log: enabled
      EVE JSON Log: enabled
      EVE Output Type: syslog
      EVE Log Alerts: enabled
      EVE Log Alert Payload: both

      i'm using "nmap -sV -p 8081 ipaddress" to trigger alerts. with Log Facility and Log Priority set to LOCAL1 and NOTICE i can see "ET SCAN Possible Nmap User-Agent" alerts in logstash, but they are basic standard syslog messages, additional data like payload etc are missing. if i set Log Facility and Log Priority to AUTH and INFO then no more alerts in logstash.
      could you please confirm that auth and info are still the right syslog setting? i tried others Log Facility and Log Priority combinations with no different results.
      thank you.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.