I realized that the logging format differs. Basically I did not change anything!
Expected:
firewall.FQDN.home suricata[5606]: {"timestamp":"2021-12-09T17:18:52.827551+0100","flow_id":1286923271053471,"in_iface":"igb0","event_type":"alert","src_ip":"XX7.XX.10.210","src_port":47145,"dest_ip":"192.168.XXX.XXX","dest_port":22,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2500018,"rev":6005,"signature":"ET COMPROMISED Known Compromised or Hostile Host Traffic group 10","category":"Misc Attack","severity":2,"metadata":{"affected_product":["Any"],"attack_target":["Any"],"created_at":["2011_04_28"],"deployment":["Perimeter"],"signature_severity":["Major"],"tag":["COMPROMISED"],"updated_at":["2021_12_06"]}},"flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":60,"bytes_toclient":0,"start":"2021-12-09T17:18:52.827551+0100"}}
real: firewall.FQDN.home suricata[84449]: [1:2018789:4] ET POLICY TLS possible TOR SSL traffic [Classification: Misc activity] [Priority: 3] {TCP} XXX.XXX.XXX.XXX:XXXXX -> XX.76.70.XX:4XXXX
Why is that? As I log into a SIEM solution the log format renders the logs useless.
No versions here but assuming you mean 21.7.5 -> 21.7.6:
# opnsense-revert -r 21.7.5 suricata
Try to restart suricata from the GUI afterwards to see if the logging is correct again.
If it is this could be a regression in version 6.0.4.
EDIT: sorry, correct my post. It's been a long day.
Cheers,
Franco
Quote from: franco on December 14, 2021, 05:24:57 PM
No versions here but assuming you mean 21.7.6 -> 21.7.7:
# opnsense-revert -r 21.7.6 suricata
Try to restart suricata from the GUI afterwards to see if the logging is correct again.
If it is this could be a regression in version 6.0.4.
Cheers,
Franco
I don't see any release note for 21.7.7 yet?!?
@fastboot
are you shure that "Enable eve syslog output" enabled and "Enable syslog alerts" disabled?
Quote from: chemlud on December 14, 2021, 05:47:23 PM
I don't see any release note for 21.7.7 yet?!?
I was working on 21.7.7 all day so that was my mistake. Changed the original message.
Cheers,
Franco
Hi folks,
really sorry for the delay I was away and even did not realize I got an answer (need to check my mailsettings).
Quote from: franco on December 14, 2021, 06:25:11 PM
Quote from: chemlud on December 14, 2021, 05:47:23 PM
I don't see any release note for 21.7.7 yet?!?
I was working on 21.7.7 all day so that was my mistake. Changed the original message.
Cheers,
Franco
Basically I did not change anything. After the upgrade and a reboot it started to log this way. Before that I had both enabled.
Now I removed the syslog and enabled eve only. But even a start/stop of the daemon did not help. I needed to reboot. But its fixed again. :)
Thanks guys!
Cheers
fb