Suricata Local syslog

KCZ

unread,

Feb 21, 2018, 4:05:50 PM2/21/18

to security-onion

I would like to get Suricata alerts sent to Splunk. I have been sending the alerts via syslog to a remote syslog server via barnyard2. This works for awhile but bombs out on me.

I already have a Splunk forwarder on the box collecting bro logs and would like to pick up the suricata alerts this way but I can not seem to find them.

barnyard2.conf has:"output alert_syslog: LOG_LOCAL6 LOG_ALERT" but I do not have local6 in /var/logs/

Is there additional config changes I need to make?

Wes Lambert

unread,

Feb 21, 2018, 5:14:46 PM2/21/18

to securit...@googlegroups.com

Hi KCZ,

You may want to see:

https://github.com/Security-Onion-Solutions/security-onion/wiki/ThirdPartyIntegration

Thanks,

Wes

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

Kevin Branch

unread,

Feb 22, 2018, 3:19:45 PM2/22/18

to securit...@googlegroups.com

Assuming Splunk does a nice job at consuming/parsing JSON logs, you might also want to consider using Suricata's Eve JSON output feature.

http://suricata.readthedocs.io/en/latest/output/eve/eve-json-output.html

Kevin

On Wed, Feb 21, 2018 at 5:14 PM, Wes Lambert <wlamb...@gmail.com> wrote:

Hi KCZ,

You may want to see:

https://github.com/Security-Onion-Solutions/security-onion/wiki/ThirdPartyIntegration

Thanks,
Wes

On Wed, Feb 21, 2018 at 4:05 PM, KCZ <kevin.c...@gmail.com> wrote:

I would like to get Suricata alerts sent to Splunk. I have been sending the alerts via syslog to a remote syslog server via barnyard2. This works for awhile but bombs out on me.

I already have a Splunk forwarder on the box collecting bro logs and would like to pick up the suricata alerts this way but I can not seem to find them.

barnyard2.conf has:"output alert_syslog: LOG_LOCAL6 LOG_ALERT" but I do not have local6 in /var/logs/

Is there additional config changes I need to make?

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.

To post to this group, send email to securit...@googlegroups.com.

Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

Reply all

Reply to author

Forward