Suricata not outputting to Logging server

michmoor · Jan 28, 2023, 10:53 PM

I am testing Suricata alerting with Graylog and im running into an issue on the pfsense which is interesting.
I have two interfaces set up for Suricata. DMZ and LAN. They are set up similarly in that alerts are sent to the system logs which in turn are sent to the logging server for further processing.

In order to test my alerts i run the following command from a Linux host on each network

curl -A "BlackSun" google.com

On the DMZ client, as expected this generates an alert and i see it show up in GreyLog. I got an email alert and everything is good.
On the LAN client, i see the alert in the alerts.log file. Suricata sees it. Nothing in GrayLog.

Yet...Nothing in Graylog. This is what i see on the logging server. DMZ network is 192.168.15.X/24

I have restarted Suricata on the LAN but no difference.

michmoor · Jan 28, 2023, 10:57 PM

@michmoor FIXED.
What i did? Unselect the option to send to syslog. Clicked Save.
Then i received the following message

EVE Output to syslog requires Suricata alerts to be copied to the system log, so 'Send Alerts to System Log' has been auto-enabled.

Tested again...Works. Alerts received in the logging server as well as email notification.