how to forward new entries from a specific log to a remote syslog server
-
suricata logs alerts for a specific interface in /var/log/suricata/suricata_igc047597/alerts.log
I want to forward new entries in this file to a remote syslog server.
The remote server is up and running and already accepting entries from another file (filterlog).I assume this should be possible by adding a file, with references to the file and the the remote syslog server, unfortunately, I can't find (have been searching for a few days now) aa working solution.
suricata creates multiple logfiles, so '!suricata' doesn't appear to work (suricata not using syslog to create logs?)
I already asked this in the suricata/snort part of this forum, the proposed solutions are far more complex than what I require, e.g. simply forward entries from a specific log to remote.
thanks for your time and effort.
-
I'm not sure you can do that for a specific Suricata log file like that. You can only forward traffic to a remote server that logged in the main syslog interface and Suricata is not unless you set 'Send Alerts to System Log'. That sends alerts for all interfaces but you could filter that on the remote server.
Pretty much what @bmeeks (the package author) said in the other thread.
Steve
-
I tried all suggestions, made by @bmeeks, but unfortunately, they don't work, nothing ends up in the bsd syslog, thus nothing is forwarded.
on debian, you can use imfile to look at a log, and take actions, depending on the message, something like:
module(load="imfile" mode="inotify") input(type="imfile" File="/etc/unbound/log/unbound.log" reopenOnTruncate="on" Tag="unbound: ") if ($msg contains 'rpz') then { action(type="omfile" dirCreateMode="0700" FileCreateMode="0644" File="/home/pi/rsyslog/rsyslog_unbound.log" template="unboundmsg") stop }I wonder if something similar exists on bsd. The condition for the action would be useful on the source (pfsense) but not required, I can do that on the destination (debian). The action should be something that forwards the entire message (something like @192.168.2.56:514 ?).
-
You enabled 'Send Alerts to System Log' in the Suricata interface config and it's not sending that to the main system log?
-
-
I just tested this in a 2.7.0 development snapshot virtual machine and it worked. I received the alerts in the pfSense system log. Did you remember to restart Suricata on the interface after making the parameter change? Suricata is a system daemon that is not dynamic. It only reads its setup configuration during initial startup. After that, other than rules updates which have a special reload signal, any other change to the daemon's configuration requires it to be restarted so it will read the updated configuration.
Here are the settings from the INTERFACE SETTINGS tab in Suricata:
And here are the alerts from an
nmapscan showing in the pfSense system log (syslog):
And here is the ALERTS tab view showing the events from the alerts.log (note the timestamps are slightly different because I repeated the
nmapscan twice and copied the newest alerts which were at the top of the log, but there is a corresponding matching set of alerts for the 13:44 timestamp that is shown in the syslog entries up above):
-
B bmeeks referenced this topic on
-
B bmeeks referenced this topic on
-
@jpgpi250 said in how to forward new entries from a specific log to a remote syslog server:
suricata logs alerts for a specific interface in /var/log/suricata/suricata_igc047597/alerts.log
I want to forward new entries in this file to a remote syslog server.
The remote server is up and running and already accepting entries from another file (filterlog).I assume this should be possible by adding a file, with references to the file and the the remote syslog server, unfortunately, I can't find (have been searching for a few days now) aa working solution.
suricata creates multiple logfiles, so '!suricata' doesn't appear to work (suricata not using syslog to create logs?)
I already asked this in the suricata/snort part of this forum, the proposed solutions are far more complex than what I require, e.g. simply forward entries from a specific log to remote.
thanks for your time and effort.
I think the most elegant way would be to install the “Syslog-ng” package, and have that monitor that file and syslog forward new entries to your SYSLOG host. It works like a charm.
I use the Syslog-ng package on remote sites as a concentrator for switches and AP’s there. They all syslog til syslog-ng, which in turn forwards it to my central syslog host via Syslog over TCP (No lost messages). At the same time Syslog-ng monitors all relevant logfiles on pfSense itself to forward new entries in those - fx. PfBlockerNG DNSBL logs, and FreeRadius logs apart from the standard pfSense Logs. pfSense itself is not setup to syslog forwarding to Syslog-ng. It just writes to local files as pr. Standard. Those files are instead monitored by Syslog-ng locally.
A neat feature with this setup is that Syslog-NG can also forward directly to ElasticSeach, Greylog and other log utilities that has has their own extended dataformat (not using syslog only format)
-
-
@jpgpi250 said in how to forward new entries from a specific log to a remote syslog server:
I finally got it working, see my comments here
thanks for your time and effort.
Both methods will work in the Suricata package: (1) plain syslog output to the local system log by checking the option on the INTERFACE SETTINGS tab and then restarting Suricata; or (2) configuring the EVE logging subsystem to write to syslog instead of a physical file.
EVE is the direction the upstream Suricata team is encouraging for logging. You can enable the logging of more information via the options in EVE as compared to the older vanilla syslog output feature.
Again, restarting Suricata on the interface after any changes to its core configuration is required for the change to become effective.
-
B bmeeks referenced this topic on
-
B bmeeks referenced this topic on
