Bug 12960 - IPS Log not send by syslog to syslog server
Summary: IPS Log not send by syslog to syslog server
Status: NEW
Alias: None
Product: IPFire
Classification: Unclassified
Component: --- (show other bugs)
Version: 2
Hardware: all All
: Will only affect a few users Security
Assignee: Stefan Schantl
QA Contact: Peter Müller
URL: https://community.ipfire.org/t/ids-lo...
Keywords: Security
Depends on:
Blocks:
 
Reported: 2022-10-17 12:47 UTC by Sven F
Modified: 2023-03-15 10:59 UTC (History)
3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sven F 2022-10-17 12:47:36 UTC 
The messages from IPS Log are not send to configured syslog server (Core 169).
IPS Log messages should be send by syslog to a server for better analyzing and monitoring.
Bug is based on forum thread https://community.ipfire.org/t/ids-log-to-syslog/8777
Comment 1 florom 2023-02-01 09:58:05 UTC 
There ia a workaround.

in /etc/suricata/suricata.yaml

If you include a “syslog” section directly under the “outputs” section it seems to work. 
The "logging" - “outputs” section does not seem to have any inpact so you do not need to activate it at all.
See code below.

[...]
"""
# Configure the type of alert (and other) logging you would like.
outputs:
  # a line based alerts log similar to Snort's fast.log
  - fast:
      enabled: yes
      filename: fast.log
      append: yes
      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
  - syslog:
      enabled: yes
      facility: local5
      identity: "scata"
      format: ""
      level: Info

  # Stats.log contains data from various counters of the suricata engine.
  - stats:
      enabled: no
      filename: stats.log
      append: no       # append to file (yes) or overwrite it (no)
      totals: yes       # stats for all threads merged together
      threads: no       # per thread stats
      #null-values: yes  # print counters that have value 0

  # Extensible Event Format (nicknamed EVE) event log in JSON format
  - eve-log:
      enabled: no
      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
      filename: eve.json
      #prefix: "@cee: " # prefix to prepend to each log entry
      # the following are valid when type: syslog above
      #identity: "suricata"
      #facility: local5
""""
[...]
""""
logging:
  # The default log level, can be overridden in an output section.
  # Note that debug level logging will only be emitted if Suricata was
  # compiled with the --enable-debug configure option.
  #
  # This value is overriden by the SC_LOG_LEVEL env var.
  default-log-level: Info

  # A regex to filter output.  Can be overridden in an output section.
  # Defaults to empty (no filter).
  #
  # This value is overriden by the SC_LOG_OP_FILTER env var.
  default-output-filter:

  # Define your logging outputs.  If none are defined, or they are all
  # disabled you will get the default - console output.
  outputs:
  - console:
      enabled: no
      # type: json
  - file:
      enabled: no
      level: info
      filename: /var/log/suricata/suricata.log
      # type: json
  - syslog:
      enabled: no
      facility: local5
      identity: "suricata"
      format: ""
      level: Debug
      # type: json

""""
The Wireshark output is like this (anonymized):
scata[20094]: [Drop] [1:2028651:2] ET USER_AGENTS Steam HTTP Client User-Agent [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} zz.zz.zz.zz:yyy → xx.xx.xx.xx:bbb

Based on forum thread https://community.ipfire.org/t/ips-suricata-does-not-log-into-syslog/9302/4?u=florom (Might be nicer formatted there)
Comment 2 Sven F 2023-03-15 10:59:34 UTC 
Provided solution from florom is working but the changes on suricata.yaml are lost after core update (172 to 173)