suricata eve json to syslog
newtime last edited by
hello everybody, i'm trying to send eve json logs to logstash / elk stack via syslog, in order to avoid to install the unofficial filebeat package on pfsense. it looks that using syslog is the official supported way to ship eve output to an external host at this moment.
pfsense 2.4.4, suricata 4.0.13_9, interface settings with:
Send Alerts to System Log: enabled
EVE JSON Log: enabled
EVE Output Type: syslog
EVE Log Alerts: enabled
EVE Log Alert Payload: both
i'm using "nmap -sV -p 8081 ipaddress" to trigger alerts. with Log Facility and Log Priority set to LOCAL1 and NOTICE i can see "ET SCAN Possible Nmap User-Agent" alerts in logstash, but they are basic standard syslog messages, additional data like payload etc are missing. if i set Log Facility and Log Priority to AUTH and INFO then no more alerts in logstash.
could you please confirm that auth and info are still the right syslog setting? i tried others Log Facility and Log Priority combinations with no different results.