Topic…I have all the syslog output set…and a non multi-tenant setup works just fine. Do I need to add the output stanza to the tenant files? Thank you.
Hi,
Could you elaborate on what’s missing in the multi-tenant case?
What version of Suricata are you using?
Syslog is missing…no syslogs at all, not local or remote. The device is syslogging, just not from suricata. Suricata version 6.0.15. A sanitized tenant file:
vars:
address-groups:
HOME_NET: "[<>]"
EXTERNAL_NET: "!$HOME_NET"
HTTP_SERVERS: "$HOME_NET"
SMTP_SERVERS: "$HOME_NET"
SQL_SERVERS: "$HOME_NET"
DNS_SERVERS: "$HOME_NET"
TELNET_SERVERS: "$HOME_NET"
AIM_SERVERS: "$EXTERNAL_NET"
DC_SERVERS: "$HOME_NET"
DNP3_SERVER: "$HOME_NET"
DNP3_CLIENT: "$HOME_NET"
MODBUS_CLIENT: "$HOME_NET"
MODBUS_SERVER: "$HOME_NET"
ENIP_CLIENT: "$HOME_NET"
ENIP_SERVER: "$HOME_NET"
port-groups:
HTTP_PORTS: "80"
SHELLCODE_PORTS: "!80"
ORACLE_PORTS: 1521
SSH_PORTS: 22
DNP3_PORTS: 20000
MODBUS_PORTS: 502
FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
FTP_PORTS: 21
GENEVE_PORTS: 6081
VXLAN_PORTS: 4789
TEREDO_PORTS: 3544
default-rule-path: /opt/suricata/etc/suricata/rules
rule-files:
- suricata.rules
classification-file: /opt/suricata/etc/suricata/rules/classification.config
reference-config-file: /opt/suricata/etc/suricata/reference.config
threshold-file: /opt/suricata/etc/suricata/threshold.config
Do I need to add the output syslog to the tenant files? Does not seem to be working within the suricata.yaml file proper.
Per https://docs.suricata.io/en/suricata-6.0.0/configuration/multi-tenant.html:
The following settings are per tenant:
* default-rule-path
* rule-files
* classification-file
* reference-config-file
* threshold-file
* address-vars
* port-vars
So…not sure what I’m missing.
Bah…fail on my part…thank you working!