Bug #1204
closedEVE syslog config parameters (identity, facility, level) do not work
Description
The YAML configuration parameters for eve-log syslog are not taking effect (the default is always used).
ex:
- eve-log:
enabled: yes
type: syslog
identity: "SuricataEVE"
facility: local0
level: Debug ## possible levels: Emergency, Alert, Critical,
## Error, Warning, Notice, Info, Debug
Regardless of what is set for identity, facility, and level, the log messages always come out as "suricata", "user", and "info" respectively. This is unless the syslog section is enabled, ex:
- syslog:
enabled: no
identity: "Suricata"
facility: local0
level: Debug ## possible levels: Emergency, Alert, Critical,
## Error, Warning, Notice, Info, Debug
If the syslog section is enabled then identity and facility are used correctly, but level still does not work.
I would recommend removing the dependency between the eve.json and syslog sections to allow to the above eve.json syslog parameters to take effect as intended.
Files
Updated by Victor Julien over 10 years ago
- Status changed from New to Assigned
- Assignee set to Tom DeCanio
- Target version set to 2.0.2
Updated by Victor Julien over 10 years ago
- Target version changed from 2.0.2 to 2.0.3
Updated by Victor Julien over 10 years ago
- Target version changed from 2.0.3 to 2.0.4
Updated by Zach Rasmor over 9 years ago
I believe this fix is a simple one-line change. See my attached patch.
My initial testing shows this to be correct, but I will continue testing to be sure. If you'd like to reassign this ticket to me, I'm happy to make the fix. If not, I hope this can provide an aid in fixing this bug as this is a feature we are interested in.
Updated by Victor Julien over 9 years ago
Thanks Zach. Could you submit a pull request? The whole process of contributing is documented here Contributing. Thanks!
Updated by Zach Rasmor over 9 years ago
Thanks, I will read through the steps for contributing and create the pull request.
Regarding the fix:
Further testing indicated that my fix alleviates the issue of the eve-log syslog parameters not taking effect, however when the 'syslog.enabled: yes' is defined at the same time (for fast-log style alerting to syslog), the identity and facility defined in the 'outputs.eve-log' section are overridden by the identity and facility specified in the 'syslog' section. This is because enabling syslog output for both of these logs causes 2 separate calls to the openlog API, where the identity and facility of the second openlog call overrides the first.
So in other words, the patch results in correct eve-log syslog output when it is the only syslog output enabled, however the facility and identity fields may be incorrect if the syslog (for fast-log alerting) is enabled at the same time with a different facility and identity specified.
Alleviation of the latter issue may require some higher level design changes, some possibilities:
-- (Least effort) Tell user that the identity and facility must be defined the same everywhere in the yaml
-- (A little effort) OR-ing the facility value with the level value in the syslog call – this would allow for different facilities, but not different identities
-- (Substantial effort) changing the yaml format such that the facility and identity are set in only one place and then changing the design such that openlog is only called once
-- Something else?
Regardless, I’ll submit the pull request, and you can decide if you’d like to accept it.
Updated by Victor Julien over 9 years ago
- Status changed from Assigned to Closed
- Assignee changed from Tom DeCanio to Zach Rasmor
- Target version set to 2.1beta4
- % Done changed from 0 to 100