Suricata logging the mac-address with EVE JSON Log
-
Hello everyone,
we would like use suricata 6.0.13 to logging our traffic thru an interface inlcude the source mac-address.
So we activated EVE JSON Log with Output Type "File".
In the suricata.yaml we changed the argument ethernet to yes and delete the #.Also we tried to force this function under : Advanced Configuration Pass-Through but we cant find the right syntax. (service cant start)
Can anyone tell us the correct syntax or or otherwise help ?
Best Regards
proedv -
Manual edits of the
suricata.yamlfile do not work. There is a separate conf file for each Suricata interface, and that conf file is stored in a subdirectory underneath/usr/local/etc/suricata/. Thesuricata.yamlfile for an interface is created from scratch by the PHP GUI code each time you save a change in the GUI or start the package. Any manual edits are immediately lost at that point. You should never manually edit any configuration files in pfSense. All of that is done by the GUI code.Your "Advanced Configuration Pass-Through" attempt is not working because in order to do that you would have to provide the entire EVE JSON logging configuration section. You can't provide just a single piece (which is what I assume you tried).
Finally, logging of MAC addresses is not a currently configurable option in the GUI due to its being default disabled. So, the TLDR version is the mac-address logging option is not supported in the GUI code at this time.
You can manually edit the YAML template file used to construct the
suricata.yamlfile for each interface to achieve what you want. But be aware the next time you update the Suricata package (or reinstall the existing version) the change will be overwritten.If you want to edit the template file, it can be found here:
/usr/local/pkg/suricata/suricata_yaml_template.inc. Find the following section in that file:- eve-log: enabled: {$enable_eve_log} filetype: {$eve_output_type} filename: {$eve_output_filename} redis: {$eve_redis_output} identity: "suricata" facility: {$eve_systemlog_facility} level: {$eve_systemlog_priority}and edit it by adding the "ethernet" option as follows being sure to properly indent the added line (and do not change or edit any other section or you risk breaking Suricata completely on the box):
- eve-log: enabled: {$enable_eve_log} filetype: {$eve_output_type} filename: {$eve_output_filename} redis: {$eve_redis_output} identity: "suricata" facility: {$eve_systemlog_facility} level: {$eve_systemlog_priority} ethernet: yesSave the change and then go to each Suricata interface, stop the running daemon, click Save on the Interface Settings tab to regenerate the
suricata.yamlfile for the interface from the new template, then restart Suricata on the interface. -
Hi, Thank you for your fast respone.
We tested the solution you suggested and it works well.
It is possible to get the result without modifying the suricata_yaml_template.inc file ?We tried the following code, and similar variations of it, in the Advanced Configuration Pass-Through section, but without success.
- eve-log:
enabled: {$enable_eve_log}
filetype: {$eve_output_type}
filename: {$eve_output_filename}
redis: {$eve_redis_output}
identity: "suricata"
facility: {$eve_systemlog_facility}
level: {$eve_systemlog_priority}
ethernet: yes
can you please provide the correct syntax for the required section
thank you in advance,
kind regards
Andreas - eve-log:
-
@proedv said in Suricata logging the mac-address with EVE JSON Log:
It is possible to get the result without modifying the suricata_yaml_template.inc file ?
No.
@proedv said in Suricata logging the mac-address with EVE JSON Log:
We tried the following code, and similar variations of it, in the Advanced Configuration Pass-Through section, but without success.
It does not work because you are not providing the entire EVE JSON logging configuration. And doing so means abandoning everything you configure in the GUI and doing it all by hand in the Pass-Through section. If you are familiar with PHP programming, you will note that the snippets in the template file contain PHP variable placeholders. Those variables are populated with detailed content during the PHP code execution and then expanded as the final result is written to the
suricata.yamlfile constructed for the interface. When those PHP variables are expanded, multiple additional lines of configuration data are written to the YAML file. But you cannot include those variables in the configuration pass-through option as that expects literal data (with no variables),To see what I mean, open up and examine the
suricata.yamlfile for one of your interfaces. Browse to/usr/local/etc/suricata/suricata_xxxxx/and open thesuricata.yamlfile you find in there. Replace "xxxxx" in the path with the physical interface name and a UUID for the interface. You can see the interface subdirectories under/usr/local/etc/suricata/. -
Sorry to resurrect an old thread, but we're also interested in recording the MAC address in the block logs. Currently we are only getting IP address with default config. Understanding that this isn't available to configure through the GUI and that we'd have to reapply the patch to the suricata_yaml_template.inc file after any upgrade, where would I add to get the MAC in the log? We are not using the EVE JSON option though and currently they look like this:
/var/log/suricata/suricata_ix0.40117147/block.log:12/22/2023-18:52:20.987660 [Block Src] [**] [1:2012390:6] ET P2P Libtorrent User-Agent [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.18.190.191:54703 /var/log/suricata/suricata_ix0.40117147/block.log:12/22/2023-19:38:43.785701 [Block Src] [**] [1:2010144:6] ET P2P Vuze BT UDP Connection (5) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 172.18.190.191:6881Is that possible? Thanks!
-
@PalisadesTahoe said in Suricata logging the mac-address with EVE JSON Log:
Sorry to resurrect an old thread, but we're also interested in recording the MAC address in the block logs
This is not possible. Recording the MAC address is only possible in the EVE.JSON log. That's a limitation of the underlying Suricata binary.
The feature to enable EVE.JSON logging of Ethernet Headers (the MAC addresses) was added to the GUI with one of the recent updates. You will see that option available once you enable EVE JSON logging for the interface.
If you do not utilize EVE JSON logs, then you can't log the MAC address.
You should also be aware that logging of MAC address is of very limited use. Each time a packet crosses an interface when being routed, the MAC address is replaced by that of the router. Thus when on the WAN, the only MAC address you would ever see for external packets would be that of your default gateway, and the only internal packet MAC addresses you would see would be that of the firewall's WAN interface. There is a discussion of this in the Stack Exchange thread here: https://networkengineering.stackexchange.com/questions/53379/do-routers-change-mac-address-of-packets-when-forwarding.
The only place you would see local host MACs is on an internal interface such as your LAN. But even then, all the external MAC addresses would just be that of the LAN. In my opinion it is a feature with an extremely limited benefit.
-
Thanks for the prompt reply. If one enables EVE.JSON logging, do the standard logs we're seeing disappear? Or would that be in addition to the default logs?
-
@PalisadesTahoe said in Suricata logging the mac-address with EVE JSON Log:
Thanks for the prompt reply. If one enables EVE.JSON logging, do the standard logs we're seeing disappear? Or would that be in addition to the default logs?
EVE JSON logs are additional logs. They are quite "wordy" and thus you need to be sure and enable the LOG MGMT features of the Suricata package. And you need plenty of disk space (and an SSD or physical spinning media -- EMMC cards can be killed quickly by the volume of writes).
-
Thanks. I was able to reduce the logging to focus on what I was looking for and they are much less noisy than default and working for what we need.
