I am trying to understand where in OPNsense the syslog format is set for suricata as it differs from the default ...
this is how it should look like
Quote10/05/10-10:08:59.667372 [**] [1:2009187:4] ET WEB_CLIENT ACTIVEX iDefense
COMRaider ActiveX Control Arbitrary File Deletion [**] [Classification: Web
Application Attack] [Priority: 3] {TCP} xx.xx.232.144:80 -> 192.168.1.4:56068
but it converts to Sep 11 21:55:58 infinus.duckdns.org suricata[22702]:
QuoteMay 5 10:08:59 host.name.com suricata[{PID}]: [1:2009187:4] ET WEB_CLIENT ACTIVEX iDefense
COMRaider ActiveX Control Arbitrary File Deletion [Classification: Web
Application Attack] [Priority: 3] {TCP} xx.xx.232.144:80 -> 192.168.1.4:56068
where is this modified - I had a look at the different templates but cant find it but would want to change it to default as is interferes with my syslog receiver which expects the default format ...
would rather revert this than needing to use the syslog-ng and directly forward the /var/log/suricata/fast.log - any hints? ...
just for completion decided to grab the logs from /var/log/suricata/fast.log directly instead ...