Suricata: weird logging format since update?!

Started by fastboot, December 14, 2021, 05:22:11 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 14, 2021, 05:22:11 PM
I realized that the logging format differs. Basically I did not change anything!

Expected:
firewall.FQDN.home suricata[5606]: {"timestamp":"2021-12-09T17:18:52.827551+0100","flow_id":1286923271053471,"in_iface":"igb0","event_type":"alert","src_ip":"XX7.XX.10.210","src_port":47145,"dest_ip":"192.168.XXX.XXX","dest_port":22,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2500018,"rev":6005,"signature":"ET COMPROMISED Known Compromised or Hostile Host Traffic group 10","category":"Misc Attack","severity":2,"metadata":{"affected_product":["Any"],"attack_target":["Any"],"created_at":["2011_04_28"],"deployment":["Perimeter"],"signature_severity":["Major"],"tag":["COMPROMISED"],"updated_at":["2021_12_06"]}},"flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":60,"bytes_toclient":0,"start":"2021-12-09T17:18:52.827551+0100"}}

real: firewall.FQDN.home suricata[84449]: [1:2018789:4] ET POLICY TLS possible TOR SSL traffic [Classification: Misc activity] [Priority: 3] {TCP} XXX.XXX.XXX.XXX:XXXXX -> XX.76.70.XX:4XXXX

Why is that? As I log into a SIEM solution the log format renders the logs useless.
December 14, 2021, 05:24:57 PM #1 Last Edit: December 14, 2021, 06:24:25 PM by franco
No versions here but assuming you mean 21.7.5 -> 21.7.6:

# opnsense-revert -r 21.7.5 suricata

Try to restart suricata from the GUI afterwards to see if the logging is correct again.

If it is this could be a regression in version 6.0.4.

EDIT: sorry, correct my post. It's been a long day.


Cheers,
Franco
December 14, 2021, 05:47:23 PM #2
Quote from: franco on December 14, 2021, 05:24:57 PM
No versions here but assuming you mean 21.7.6 -> 21.7.7:

# opnsense-revert -r 21.7.6 suricata

Try to restart suricata from the GUI afterwards to see if the logging is correct again.

If it is this could be a regression in version 6.0.4.


Cheers,
Franco

I don't see any release note for 21.7.7 yet?!?
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
December 14, 2021, 06:12:12 PM #3
@fastboot
are you shure that "Enable eve syslog output" enabled and "Enable syslog alerts" disabled?
December 14, 2021, 06:25:11 PM #4
Quote from: chemlud on December 14, 2021, 05:47:23 PM
I don't see any release note for 21.7.7 yet?!?

I was working on 21.7.7 all day so that was my mistake. Changed the original message.


Cheers,
Franco
January 13, 2022, 05:10:17 PM #5
Hi folks,

really sorry for the delay I was away and  even did not realize I got an answer (need to check my mailsettings).


Quote from: franco on December 14, 2021, 06:25:11 PM
Quote from: chemlud on December 14, 2021, 05:47:23 PM
I don't see any release note for 21.7.7 yet?!?

I was working on 21.7.7 all day so that was my mistake. Changed the original message.


Cheers,
Franco

Basically I did not change anything. After the upgrade and a reboot it started to log this way. Before that I had both enabled.

Now I removed the syslog and enabled eve only. But even a start/stop of the daemon did not help. I needed to reboot. But its fixed again. :)

Thanks guys!

Cheers

fb
Print
Go Up Pages1
User actions