Hi guys,
I have the following Syslog configuration on my Suricata sensor (forward logs
to a server):
And the following Suricata Eve configuration:
When an event happens, I get on the Suricata sensor /var/log/messages file the
respective log event:
The problem is, even though the event is written into /var/log/messages, it
doesn't get forwarded unless I enable Suricata syslog logging. I have the
following syslog configuration:
But if I enable syslog logging, both log events get forwarded to the log
server. In the Suricata sensor /var/log/messages file:
{"timestamp":"2014-07-16T14:25:32.783633","event_type":"alert","src_ip":"client","src_port":52119,"dest_ip":"server","dest_port":80,"proto":"TCP","alert":
{"action":"allowed","gid":1,"signature_id":2006380,"rev":12,"signature":"ET
POLICY Outgoing Basic Auth Base64 HTTP Password detected
unencrypted","category":"Potential Corporate Privacy Violation","severity":1}}
Basic Auth Base64 HTTP Password detected unencrypted [Classification: Potential
Corporate Privacy Violation] [Priority: 1] {TCP} client:52119 -> server:80
In the log server:
This leads me to thing there is a bug that is preventing eve logging (using
syslog) dependent upon syslog logging. Do you guys have any idea why this is
happening?
Cheers,
Duarte
I have the following Syslog configuration on my Suricata sensor (forward logs
to a server):
And the following Suricata Eve configuration:
When an event happens, I get on the Suricata sensor /var/log/messages file the
respective log event:
The problem is, even though the event is written into /var/log/messages, it
doesn't get forwarded unless I enable Suricata syslog logging. I have the
following syslog configuration:
But if I enable syslog logging, both log events get forwarded to the log
server. In the Suricata sensor /var/log/messages file:
{"timestamp":"2014-07-16T14:25:32.783633","event_type":"alert","src_ip":"client","src_port":52119,"dest_ip":"server","dest_port":80,"proto":"TCP","alert":
{"action":"allowed","gid":1,"signature_id":2006380,"rev":12,"signature":"ET
POLICY Outgoing Basic Auth Base64 HTTP Password detected
unencrypted","category":"Potential Corporate Privacy Violation","severity":1}}
Basic Auth Base64 HTTP Password detected unencrypted [Classification: Potential
Corporate Privacy Violation] [Priority: 1] {TCP} client:52119 -> server:80
In the log server:
This leads me to thing there is a bug that is preventing eve logging (using
syslog) dependent upon syslog logging. Do you guys have any idea why this is
happening?
Cheers,
Duarte