Overriding "default-output-filter:" in suracata.yaml at the outputs:->file level

arotnemer · May 11, 2023, 11:03am

We are new to suricata.
We would like to use, for logging, two output log files. The first would be the normal suricata.log. The second would filter out all lines except those that had a specific string - such as “end of file reached”. In the suricata.yaml file I tried creating a second “logging:->outputs:->file:” section with “filename: second.log”. I kept “default-output-filter:” as empty. I could not see any documentation on how to specify the filter at the file level (the comments just state that it “Can be overriden in an output section”) so I tried adding lines that start with “output-filter:” or “filter:”. They did not work - the result was an unfiltered second.log file. I should point out that overriding the format works OK, and overriding the filename works OK. Also, the “default-output-filter:”, when filled in, appears to work, but it applies the filter to both files. Does anyone know how to create a filter for a specific log file? Thanks. (Let me know if you need more information)

travisn · May 16, 2023, 8:16pm

I’m interested in this use case too.

Looking at the comments in suricata.yaml it appears possible:

  # A regex to filter output.  Can be overridden in an output section.
  # Defaults to empty (no filter).
  #
  # This value is overridden by the SC_LOG_OP_FILTER env var.
  default-output-filter:

But I’ve been unable to get it to work for . Can we actually do this / am I misunderstanding something? Thanks.

Andreas_Herz · May 24, 2023, 9:53pm

What version are you running and can you post the suricata.yaml? There are a lot of detailed option to control each output section and what to log, so there might be an even easier way to approach this.

arotnemer · May 25, 2023, 1:25pm

I am running version 6.0.8 on RHEL 7.6
I’ve uploaded the suricata.yaml file. I added a section for an additional log output file “suricata_eof.log”. I wanted to filter only lines that have the string “end” (eventually I want the filter to be “end of file”). It works for the default_log_filter but I made several attempts to just filter it for the suricata_eof.log and in all cases that log ended up being identical to the suricata.log file. Hope this helps.

suricata.yaml (73.2 KB)

Andreas_Herz · July 31, 2023, 8:34pm

So you’re talking about the suricata.log so the logging.outputs.file section?

There is the default-log-level that you can adjust but also you can use the default-output-filter and try to use regex.

Topic		Replies	Views
Suricata not writing output files Help	1	1412	December 27, 2020
How do I know what SC_LOG_OP_FILTER can I use Help community	1	449	January 20, 2022
NSM output nothing Help	3	370	April 15, 2021
Running basic Suricata instance from CMD Help	12	253	December 13, 2023
Alert-debug.log not write Help	5	315	November 27, 2021

Overriding "default-output-filter:" in suracata.yaml at the outputs:->file level

Related Topics