The messages from IPS Log are not send to configured syslog server (Core 169). IPS Log messages should be send by syslog to a server for better analyzing and monitoring. Bug is based on forum thread https://community.ipfire.org/t/ids-log-to-syslog/8777
There ia a workaround. in /etc/suricata/suricata.yaml If you include a “syslog” section directly under the “outputs” section it seems to work. The "logging" - “outputs” section does not seem to have any inpact so you do not need to activate it at all. See code below. [...] """ # Configure the type of alert (and other) logging you would like. outputs: # a line based alerts log similar to Snort's fast.log - fast: enabled: yes filename: fast.log append: yes #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - syslog: enabled: yes facility: local5 identity: "scata" format: "" level: Info # Stats.log contains data from various counters of the suricata engine. - stats: enabled: no filename: stats.log append: no # append to file (yes) or overwrite it (no) totals: yes # stats for all threads merged together threads: no # per thread stats #null-values: yes # print counters that have value 0 # Extensible Event Format (nicknamed EVE) event log in JSON format - eve-log: enabled: no filetype: regular #regular|syslog|unix_dgram|unix_stream|redis filename: eve.json #prefix: "@cee: " # prefix to prepend to each log entry # the following are valid when type: syslog above #identity: "suricata" #facility: local5 """" [...] """" logging: # The default log level, can be overridden in an output section. # Note that debug level logging will only be emitted if Suricata was # compiled with the --enable-debug configure option. # # This value is overriden by the SC_LOG_LEVEL env var. default-log-level: Info # A regex to filter output. Can be overridden in an output section. # Defaults to empty (no filter). # # This value is overriden by the SC_LOG_OP_FILTER env var. default-output-filter: # Define your logging outputs. If none are defined, or they are all # disabled you will get the default - console output. outputs: - console: enabled: no # type: json - file: enabled: no level: info filename: /var/log/suricata/suricata.log # type: json - syslog: enabled: no facility: local5 identity: "suricata" format: "" level: Debug # type: json """" The Wireshark output is like this (anonymized): scata[20094]: [Drop] [1:2028651:2] ET USER_AGENTS Steam HTTP Client User-Agent [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} zz.zz.zz.zz:yyy → xx.xx.xx.xx:bbb Based on forum thread https://community.ipfire.org/t/ips-suricata-does-not-log-into-syslog/9302/4?u=florom (Might be nicer formatted there)
Provided solution from florom is working but the changes on suricata.yaml are lost after core update (172 to 173)