Project

General

Profile

Actions

Bug #5938

open

for syslog output, the setting identity is not properly set

Added by Zane B-H over 2 years ago. Updated 14 days ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Lets say for outputs, you have something akin the the following.

  - eve-log:
      enabled: yes
      filetype: syslog
      identity: "suricata-ftp" 
      facility: local5
      level: Info
      pcap-file: false
      community-id: false
      community-id-seed: 0
      types:
        - ftp
  - eve-log:
      enabled: yes
      filetype: syslog
      identity: "suricata-sip" 
      facility: local5
      level: Info
      pcap-file: false
      community-id: false
      community-id-seed: 0
      types:
        - sip

All syslog output will show up as "suricata-sip" and never "suricata-ftp" as it will use what ever the last identity was set to, regardless of what it is set to for that specific output item.

Actions #1

Updated by Philippe Antoine 14 days ago

  • Status changed from New to Feedback

Is this still an issue in Suricata 8 ?

Actions #2

Updated by Philippe Antoine 14 days ago

  • Status changed from Feedback to New
  • Affected Versions 8.0.0 added
  • Affected Versions deleted (6.0.10)

Yes, it is, but it may be due to syslog having only one fd...

Actions

Also available in: Atom PDF