Hey community, so I just started learning how to configure Suricata and syslog from scratch - that was quite a learning experience. I managed to reach a configuration template that is suitable for me. However, I’m getting both of eve.json alerts, and fast.log alerts, which is redundant. I want to stop sending the fast.log alerts, but I could not find ANY combination or setting change on the config file to stop sending them.
Change enabled: yes to enabled: no in your suricata.yaml file as shown below to disable fast.log writing.
outputs:
# a line based alerts log similar to Snort's fast.log
- fast:
enabled: no
filename: fast.log
append: yes
filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
That was one of the first things I’ve tried. I can confirm indeed that the log is not being written anymore, but the alerts in the format of fast.log are STILL being sent via syslog. Is there any way to troubleshoot this?
# a line based alerts log similar to fast.log into syslog
- syslog:
enabled: yes
# reported identity to syslog. If omitted the program name (usually
# suricata) will be used.
identity: "suricata"
facility: local5
#level: Info ## possible levels: Emergency, Alert, Critical,
## Error, Warning, Notice, Info, Debug
and change enabled: yes to enabled: no as shown:
# a line based alerts log similar to fast.log into syslog
- syslog:
enabled: no
# reported identity to syslog. If omitted the program name (usually
# suricata) will be used.
identity: "suricata"
facility: local5
#level: Info ## possible levels: Emergency, Alert, Critical,
## Error, Warning, Notice, Info, Debug
Hey Jeff, thanks for the reply.
When I perform this change and restart the service - no logs AT ALL are being sent to QRadar. I have to change the “enabled” back to YES in order to fix it.
Not sure if I understand - I need only the flow logs(the ones that are not marked in red in the initial photo). The fast.log alerts (the ones that ARE marked in red) I don’t need. And this is just a lab I’m testing, I don’t have any deployment scenario I need to follow.
I see… I think what happens is that outputs.syslog.enabled is also applied to the EVE logging, because when I turn it off - everything turns off with it. What I’m trying to understand is whether there is a seperate logging control JUST for fast.log alerts, I’m just unable to find it. Not the end of the world, would be nice to know though.
Hmm, I’m not able to reproduce the issue that you’re seeing.
As I mentioned, there are 3 controls
fast.log
eve.json
fast.log-style alerts to syslog
I regularly develop/test with the first 2 enabled. I am able to enable all 3 and receive log content in fast.log, eve.json, and /var/log/syslog. I am able to disable the first and 3rd items without stopping the logging to eve.json (alerts and logs).
What version of Suricata are you using (suricata -V)?
What command line do you start suricata with (on Linux, cat /proc/$(pidof suricata)/cmdline).
Just wanted to confirm that I tested with fast having enabled: no, eve-log having a filetype of syslog, and the actual syslog output left at default (disabled). All my EVE (json formatted logs) are indeed going to syslog, even with syslog output disabled.
