[prev in list] [next in list] [prev in thread] [next in thread]
List: oisf-users
Subject: Re: [Oisf-users] Problems with multiple EVE logging outputs
From: Victor Julien <lists () inliniac ! net>
Date: 2015-01-29 21:14:10
Message-ID: 54CAA2A2.90900 () inliniac ! net
[Download RAW message or body]
On 01/29/2015 10:12 PM, Brandon Lattin wrote:
> I'm seeing the same behavior in 2.1beta3.
>
> Multiple eve-log outputs do not appear to work. Whichever eve-log type
> is processed second is the only active output.
Multiple file outputs may work, but there is something in the syslog
part that overrides the other one iirc, still need to look at it (and fix).
Cheers,
Victor
> On Thu, Jan 29, 2015 at 2:20 PM, Brandon Lattin <latt0050@umn.edu
> <mailto:latt0050@umn.edu>> wrote:
>
> I have another box I can test test beta3 on.
>
> Give me about 20 minutes and I'll get back to you.
>
> On Thu, Jan 29, 2015 at 1:42 PM, Jay M. <jskier@gmail.com
> <mailto:jskier@gmail.com>> wrote:
>
> Interesting, it may have to do with using the same types multiple
> times. Beta3 fixed a redundancy issue, which isn't exactly
> related to
> what you're seeing (almost the opposite problem).
>
> Are you able to test beta3 with this? When I have time I can
> give it a
> shot in my test environment. Looks like a bug report is probably in
> order.
>
> --
> Jay
> jskier@gmail.com <mailto:jskier@gmail.com>
>
>
> On Thu, Jan 29, 2015 at 12:38 PM, Brandon Lattin
> <latt0050@umn.edu <mailto:latt0050@umn.edu>> wrote:
> > Is anyone successfully using multiple eve json methods?
> >
> > Note that I'm using Suricata 2.1beta2
> >
> > For details see:
> >
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/EveJSONOutput
> >
> > I'm currently attempting to output to both a file and syslog. I'm
> > sidestepping the eve-logging syslog output problems by
> enabling "standard"
> > syslog alert output, which generates redundant alerts, but
> otherwise works
> > to set the facility and identity of eve-log. (See:
> > https://redmine.openinfosecfoundation.org/issues/1204)
> >
> > I'm having no luck. I either get either syslog output or file
> output,
> > depending on the order of the eve-log entries. Never both. The
> second
> > eve-log appears to override the first, which is not the
> behavior I'd expect
> > after reading:
> >
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/EveJSONOutput
> >
> > Below are the relevant snippets from the suricata.yaml:
> >
> >
> > outputs:
> > - syslog:
> > enabled: yes
> > # reported identity to syslog. If ommited the program
> name (usually
> > # suricata) will be used.
> > identity: "suricata"
> > facility: local5
> > level: Info ## possible levels: Emergency, Alert, Critical,
> > ## Error, Warning, Notice, Info, Debug
> >
> > # Extensible Event Format (nicknamed EVE) event log in JSON
> format
> > - eve-log:
> > enabled: yes
> > type: syslog #file|syslog|unix_dgram|unix_stream
> > # the following are valid when type: syslog above
> > identity: "suricata"
> > facility: local5
> > level: Info ## possible levels: Emergency, Alert, Critical,
> > ## Error, Warning, Notice, Info, Debug
> > types:
> > - alert:
> > payload-printable: yes # enable dumping payload
> in printable
> > (lossy) format
> >
> > - eve-log:
> > enabled: yes
> > type: file #file|syslog|unix_dgram|unix_stream
> > filename: eve-port1.json
> > # the following are valid when type: syslog above
> > #identity: "suricata"
> > #facility: local5
> > #level: Info ## possible levels: Emergency, Alert, Critical,
> > ## Error, Warning, Notice, Info, Debug
> > types:
> > - alert:
> > payload-printable: yes # enable dumping payload
> in printable
> > (lossy) format
> >
> >
> >
> > Thanks!
> >
> > --
> > Brandon Lattin
> > Security Analyst
> > University of Minnesota - University Information Security
> > Office: 612-626-6672 <tel:612-626-6672>
> >
> > _______________________________________________
> > Suricata IDS Users mailing list:
> oisf-users@openinfosecfoundation.org
> <mailto:oisf-users@openinfosecfoundation.org>
> > Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> > List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > Training now available: http://suricata-ids.org/training/
>
>
>
>
> --
> Brandon Lattin
> Security Analyst
> University of Minnesota - University Information Security
> Office: 612-626-6672 <tel:612-626-6672>
>
>
>
>
> --
> Brandon Lattin
> Security Analyst
> University of Minnesota - University Information Security
> Office: 612-626-6672
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users@openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/
>
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
_______________________________________________
Suricata IDS Users mailing list: oisf-users@openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Training now available: http://suricata-ids.org/training/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic