Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata logging configuration

    Scheduled Pinned Locked Moved
    pfSense Packages
    suricata rsyslog syslog
    1
    1
    811
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bp81
      last edited by

      I haven't been able to find a clear answer to my question.

      We are running Suricata on our Netgate appliances. Works fine. At this point, we want to send any alerts that Suricata generates to our logging / SIEM service. The short version of that is that is that I will need to get the logs off of Suricata/pfSense and into an rsyslog server, which will pass the logs on to our logging service using their API.

      I am stuck at the part where I get the Suricata logs off pfSense and to the rsyslog server. I'd like to use the EVE json format, as that will not require any preprocessing to readable by our logging service. I can set EVE logging to be written to pfSense's syslog facilities or to a file.

      I have not proceeded with writing to Syslog so far because I don't really want to log everything from pfSense at this time. I am wondering if there is a way to get the eve.json log file's contents transmitted to my rsyslog server.~~

      1 Reply Last reply Reply Quote 0
      • First post
        Last post