The messages from IPS Log are not send to configured syslog server (Core 169). IPS Log messages should be send by syslog to a server for better analyzing and monitoring. Bug is based on forum thread https://community.ipfire.org/t/ids-log-to-syslog/8777
There ia a workaround. in /etc/suricata/suricata.yaml If you include a “syslog” section directly under the “outputs” section it seems to work. The "logging" - “outputs” section does not seem to have any inpact so you do not need to activate it at all. See code below. [...] """ # Configure the type of alert (and other) logging you would like. outputs: # a line based alerts log similar to Snort's fast.log - fast: enabled: yes filename: fast.log append: yes #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - syslog: enabled: yes facility: local5 identity: "scata" format: "" level: Info # Stats.log contains data from various counters of the suricata engine. - stats: enabled: no filename: stats.log append: no # append to file (yes) or overwrite it (no) totals: yes # stats for all threads merged together threads: no # per thread stats #null-values: yes # print counters that have value 0 # Extensible Event Format (nicknamed EVE) event log in JSON format - eve-log: enabled: no filetype: regular #regular|syslog|unix_dgram|unix_stream|redis filename: eve.json #prefix: "@cee: " # prefix to prepend to each log entry # the following are valid when type: syslog above #identity: "suricata" #facility: local5 """" [...] """" logging: # The default log level, can be overridden in an output section. # Note that debug level logging will only be emitted if Suricata was # compiled with the --enable-debug configure option. # # This value is overriden by the SC_LOG_LEVEL env var. default-log-level: Info # A regex to filter output. Can be overridden in an output section. # Defaults to empty (no filter). # # This value is overriden by the SC_LOG_OP_FILTER env var. default-output-filter: # Define your logging outputs. If none are defined, or they are all # disabled you will get the default - console output. outputs: - console: enabled: no # type: json - file: enabled: no level: info filename: /var/log/suricata/suricata.log # type: json - syslog: enabled: no facility: local5 identity: "suricata" format: "" level: Debug # type: json """" The Wireshark output is like this (anonymized): scata[20094]: [Drop] [1:2028651:2] ET USER_AGENTS Steam HTTP Client User-Agent [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} zz.zz.zz.zz:yyy → xx.xx.xx.xx:bbb Based on forum thread https://community.ipfire.org/t/ips-suricata-does-not-log-into-syslog/9302/4?u=florom (Might be nicer formatted there)
Provided solution from florom is working but the changes on suricata.yaml are lost after core update (172 to 173)
Apparently after 01.07.2023 the workaround is not working anymore. This Info is from my logs but does not necessarily mean that suricata is responsible. Other thing were not logged too. On 25.07.2023 I recognized the missing logs and these are the findings: The changes described above will lead to following error message when starting suricata from command line (it does not work starting from web too, but there is no error message seen): root# /etc/rc.d/init.d/suricata start Starting Intrusion Detection System... [ FAIL ] chmod: cannot access '/var/run/suricata.pid': No such file or directory This message only appears with the changes undoing changes suricata can be started. Unfortunatly using the real logging section in suricata.yaml for logging to syslog does not work.
Above Comment on IPFire 2.27 (x86_64) - Core-Update 176
In Suricata version 6.0.12 it was working. In Suricata version 6.0.13 it is not working anymore.
(In reply to florom from comment #5) > In Suricata version 6.0.12 it was working. > In Suricata version 6.0.13 it is not working anymore. On Core 178 its working with Suricata version 6.0.13.
@Sven F thanks.