Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata and System Logs

    Scheduled Pinned Locked Moved pfSense Packages
    4 Posts 2 Posters 5.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • BBcan177B
      BBcan177 Moderator
      last edited by

      I am running Snort (IPS mode) and Suricata (non-IPS mode) and have noticed that the Suricata logs are populating to the System logs when its not enabled?

      In Suricata, I have the Global Settings:      Log to System Log   Copy Suricata messages to the firewall system log.  [ Disabled ]

      May 24 14:10:55 suricata[72265]: [1:2220008:1] SURICATA SMTP data command rejected [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} x.x.x.x:25 -> 190.48.97.236:24740
      May 24 14:09:56 suricata[72265]: [1:2210021:2] SURICATA STREAM ESTABLISHED retransmission packet before last ack [Classification: (null)] [Priority: 3] {TCP} 87.250.247.173:80 -> x.x.x.x8:63651
      May 24 14:09:41 suricata[72265]: [1:2220008:1] SURICATA SMTP data command rejected [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} x.x.x.x:25 -> 41.224.249.124:49100
      May 24 14:08:57 suricata[72265]: [1:2200029:1] SURICATA ICMPv6 unknown type [Classification: (null)] [Priority: 3] {IPV6-ICMP} fe80:0000:0000:0000:2264:32ff:fe52:4af1:133 -> ff02:0000:0000:0000:0000:0000:0000:0002:0
      May 24 14:08:09 suricata[72265]: [1:2210021:2] SURICATA STREAM ESTABLISHED retransmission packet before last ack [Classification: (null)] [Priority: 3] {TCP} 24.114.67.158:20606 -> x.x.x.x:443
      May 24 14:05:37 suricata[72265]: [1:2210016:1] SURICATA STREAM CLOSEWAIT FIN out of window [Classification: (null)] [Priority: 3] {TCP} 24.114.48.241:27636 -> x.x.x.x:443
      May 24 14:03:57 suricata[72265]: [1:2220008:1] SURICATA SMTP data command rejected [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} x.x.x.x:25 -> 190.112.106.223:26962

      "Experience is something you don't get until just after you need it."

      Website: http://pfBlockerNG.com
      Twitter: @BBcan177  #pfBlockerNG
      Reddit: https://www.reddit.com/r/pfBlockerNG/new/

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        @BBcan17:

        I am running Snort (IPS mode) and Suricata (non-IPS mode) and have noticed that the Suricata logs are populating to the System logs when its not enabled?

        In Suricata, I have the Global Settings:      Log to System Log   Copy Suricata messages to the firewall system log.  [ Disabled ]

        May 24 14:10:55 suricata[72265]: [1:2220008:1] SURICATA SMTP data command rejected [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} x.x.x.x:25 -> 190.48.97.236:24740
        May 24 14:09:56 suricata[72265]: [1:2210021:2] SURICATA STREAM ESTABLISHED retransmission packet before last ack [Classification: (null)] [Priority: 3] {TCP} 87.250.247.173:80 -> x.x.x.x8:63651
        May 24 14:09:41 suricata[72265]: [1:2220008:1] SURICATA SMTP data command rejected [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} x.x.x.x:25 -> 41.224.249.124:49100
        May 24 14:08:57 suricata[72265]: [1:2200029:1] SURICATA ICMPv6 unknown type [Classification: (null)] [Priority: 3] {IPV6-ICMP} fe80:0000:0000:0000:2264:32ff:fe52:4af1:133 -> ff02:0000:0000:0000:0000:0000:0000:0002:0
        May 24 14:08:09 suricata[72265]: [1:2210021:2] SURICATA STREAM ESTABLISHED retransmission packet before last ack [Classification: (null)] [Priority: 3] {TCP} 24.114.67.158:20606 -> x.x.x.x:443
        May 24 14:05:37 suricata[72265]: [1:2210016:1] SURICATA STREAM CLOSEWAIT FIN out of window [Classification: (null)] [Priority: 3] {TCP} 24.114.48.241:27636 -> x.x.x.x:443
        May 24 14:03:57 suricata[72265]: [1:2220008:1] SURICATA SMTP data command rejected [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} x.x.x.x:25 -> 190.112.106.223:26962

        Have performed a "save" operation after disabling the writing to the system log and also tried restarting Suricata?  Look in the suricata.yaml file for the interface and see if syslog output is showing as enabled.

        Bill

        1 Reply Last reply Reply Quote 0
        • BBcan177B
          BBcan177 Moderator
          last edited by

          @bmeeks:

          Have performed a "save" operation after disabling the writing to the system log and also tried restarting Suricata?  Look in the suricata.yaml file for the interface and see if syslog output is showing as enabled.

          Hi Bill,

          Sorry for sounding the alarm. I was looking at the General Settings tab for System logs which was not enabled. I have now disabled the system logs for Wan and Lan interfaces.  :o

          I don't recall the logs going to the System.log with the previous Suricata Package. I didn't play with the Suricata settings for awhile now.

          Here is what is in the yaml file for "syslog"

          grep -A4 -n "syslog" /usr/pbi/suricata-amd64/etc/suricata/suricata_30898_bce0/suricata.yaml
          73:  - syslog:
          74-      enabled: no
          75-      identity: suricata
          76-      facility: auth
          77-      level: Info
          –
          225:  - syslog:
          226-      enabled: yes
          227-      facility: auth
          228-      format: "[%i] <%d> – "
          229-

          "Experience is something you don't get until just after you need it."

          Website: http://pfBlockerNG.com
          Twitter: @BBcan177  #pfBlockerNG
          Reddit: https://www.reddit.com/r/pfBlockerNG/new/

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by

            @BBcan17:

            @bmeeks:

            Have performed a "save" operation after disabling the writing to the system log and also tried restarting Suricata?  Look in the suricata.yaml file for the interface and see if syslog output is showing as enabled.

            Hi Bill,

            Sorry for sounding the alarm. I was looking at the General Settings tab for System logs which was not enabled. I have now disabled the system logs for Wan and Lan interfaces.  :o

            I don't recall the logs going to the System.log with the previous Suricata Package. I didn't play with the Suricata settings for awhile now.

            Here is what is in the yaml file for "syslog"

            grep -A4 -n "syslog" /usr/pbi/suricata-amd64/etc/suricata/suricata_30898_bce0/suricata.yaml
            73:  - syslog:
            74-      enabled: no
            75-      identity: suricata
            76-      facility: auth
            77-      level: Info
            –
            225:  - syslog:
            226-      enabled: yes
            227-      facility: auth
            228-      format: "[%i] <%d> – "
            229-

            I can't remember exactly when I enabled that, but it's been there at least since one of the earlier BETA releases.  Suricata has two distinct and different logging paths.  One is for alerts.  Those can go to syslog or not.  The other is for Suricata operations-related stuff like startup, shutdown, etc.  That always goes to the suricata.log file on pfSense, but can optionally go to the system log (syslog) as well if enabled.  That's why there are two different parts of the suricata.yaml file that reference syslog.

            Bill

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.