Eve-log syslog doesn't appear to work

Bravo43 · March 3, 2026, 7:40pm

yes, rsyslog is running, and working. suricata is running on server_A where ryslog also runs,

using UDP and port 514.

I simulate by using the logger command to send syslog UDP to rsyslog, and this works.

#Monitor UDP port 514 on the server:

sudo tcpdump -i lo udp and port 514

# test sending udp port 514, local5:

logger -p local5.info -n 127.0.0.1 -P 514 -d “suricata sending over udp”

sudo tcpdump -i lo udp and port 514

20:38:47.337611 IP localhost.40560 > localhost.syslog: SYSLOG local5.info, length: 122
20:38:47.337611 IP localhost.40560 > localhost.syslog: SYSLOG local5.info, length: 122
20:38:47.337611 IP localhost.40560 > localhost.syslog: SYSLOG local5.info, length: 122

rsyslog writes to a local file, or forwards as configured.

If i send from the older suricata version (server_B) it works.

Not sure what i have wrong here…

ish · March 3, 2026, 8:34pm

For rsyslog, do you have the imuxsock module loaded? Suricata uses the syslog call. It doesn’t log over udp/tcp.

Bravo43 · March 4, 2026, 10:59am

Thanks Jason,

I learned something. imuxsocket is enabled, but was prevented from writing /var/lib/rsyslog/* by apparmor. (quite a few public posts regarding this topic)

Once this was solved, suricata is indeed sending over syslog, not UDP 514

This command uses the same mechanism, doesn’t show on the lo interface, same as Suricata.

logger “this is a test message”

working config:

eve-log:
enabled: yes
filetype: syslog
identity: “suricata”
facility: local5
level: Info

Apologies for the incorrect report, and thanks for the education.