Suricata 2.0.4 pkg v2.1.3 EVE json to syslog doesn't work



  • Hello,

    I'm trying to set up Suricata 2.0.4 on pfSense 2.2 and everything is working smoothly. The only issue I have is that I need to forward the Suricata log files from pfSense to an external syslog server located inside the same local network.

    I've already set up pfSense to forward the system log files to the remote syslog server and this is working properly. Now I need to redirect Suricata log files into pfSense syslog so that it automatically gets forwarded to the remote syslog server.

    If I select the option "Suricata will send Alerts from this interface to the firewall's system log." and I restart the network interface, it works perfectly and all the alerts are forwarded to the pfSense syslog and then to the remote syslog server. If I try to forward the EVE json log it doesn't work anymore tho (check attached picture), nothing is logged on the pfSense syslog service. If I switch from syslog to logging EVE json to "file", then it works and I see the EVE json log file created.

    How can I force Suricata to send the EVE json log into pfSense syslog so that it automatically gets forwarded to the remote log server?

    Many thanks in advance!

    Kind regards



  • Anybody that could give me a hint how to forward the suricata EVE json files from pfSense to an external syslog server?  :(

    Thank in advance  :)


  • Moderator



  • Many thanks for your answer and your time :)

    I read the link you posted, I just don't understand why there's the option in Suricata to output the EVE json log to the local pfSense syslog server and I don't see the actual output in "Status -> System logs -> System -> General" :( Where am I wrong?



  • @mfil67:

    Many thanks for your answer and your time :)

    I read the link you posted, I just don't understand why there's the option in Suricata to output the EVE json log to the local pfSense syslog server and I don't see the actual output in "Status -> System logs -> System -> General" :( Where am I wrong?

    You will need to alter the default Log Level and Log Facility.  pfSense does its own syslog-type filtering and scatters logged events across several log files based on facility and level.  It's been a while, but I think you can try LOG_AUTH for the facility and LOG_INFO for level and see if that won't put the data into the system log.  Each time you change the Suricata setting, you will need to restart Suricata on that interface.

    EDIT: As BBcan177 noted with his link above, I am creating a logstash-forwarder package for submittal to the pfSense Team.  If they approve, then you can use the new package to send Suricata and other firewall logs to an ELK (Elasticsearch Logstash Kibana) setup.

    Bill



  • Many thanks, much appreciated :)

    I tried with auth/info as well as auth/alert, authpriv/alert, kern/alert. No EVE json string has been printed :( This is so weird, am I wrong somewhere?  :(



  • @mfil67:

    Many thanks, much appreciated :)

    I tried with auth/info as well as auth/alert, authpriv/alert, kern/alert. No EVE json string has been printed :( This is so weird, am I wrong somewhere?  :(

    I will need to find some time and test this myself.  I think I briefly verified that it worked way back when I first added the option to the package, but to be honest I am not 100% positive about testing it.  I added a lot of functionality at that time and was doing a lot of testing back and forth.  I could have missed that particular option.

    Bill



  • OK.  Got this to work by also checking the "Send Alerts to System Log" checkbox in the Logging Settings section of the INTERFACE SETTINGS tab.

    For both options you will need to set the Log Facility to auth and the Log Level to info in the corresponding drop-down boxes.  After saving the changes, restart Suricata on the interface.

    Suricata does not seem to initialize syslog output at all unless the "Send Alerts to System Log" option is also enabled.  Apparently this is what loads the syslog output module that the EVE JSON output to syslog is dependent upon.

    NOTE:  be prepared and expect your system log ouput formatting to be weird when viewed from the Status > System Log menu.  This is a consequence of the way JSON output is formatted.

    Bill



  • You are THE man! Dude, you made it! This is awesome, thank you very much!! I didn't know what else I could try to make it working!  ;D
    Whatever I can do to help you, please let me know - I owe you a beer!  :)

    As soon as I set up an ELK server I'll get in touch with you again so that I can stress-test your close-to-release package :)

    Again, thank you very much!

    Best regards



  • @mfil67:

    You are THE man! Dude, you made it! This is awesome, thank you very much!! I didn't know what else I could try to make it working!  ;D
    Whatever I can do to help you, please let me know - I owe you a beer!  :)

    As soon as I set up an ELK server I'll get in touch with you again so that I can stress-test your close-to-release package :)

    Again, thank you very much!

    Best regards

    You are welcome.  Next time I make some GUI code updates to the package, I will tie the EVE JSON syslog output toggle to the output alerts to system log toggle so it is auto-enabled (if not already) when you choose EVE JSON output to syslog.

    Bill



  • Hi guys maybe could you help me…

    I'm trying to send BOTH syslog and suricata logs to the SAME elks server.
    Actually, thanks to abundant online documantation and howtos I managed to got my pfsense devices centrally monitored on an elks server.

    The problem I'm facing is that I cannot get suricata working on that same server...
    I dont know or I didnt find how to tell logstash that a combined syslog / suricata flow will arrive to the tcp input.

    Actually, I got a pauir of input listening on tcp/udp 514 port, type syslog, and it reads log good as they arrive.
    But, how to add type suricata + codec json on the same listening ports?

    Alternatively, I do not know how to make suricata to send their logs on a separate port (I'm using your setup, whre I'm trying to use the same pfsense syslog flow to the remote syslog server).

    Could you give me some clue?
    Tnaks in advance, best regards



  • Morning,

    any update on that package?

    As BBcan177 noted with his link above, I am creating a logstash-forwarder package for submittal to the pfSense Team.  If they approve, then you can use the new package to send Suricata and other firewall logs to an ELK (Elasticsearch Logstash Kibana) setup.

    Thanks,