Task #7589
openeve: deprecate syslog filetype for eve
Updated by Jason Ish 3 months ago
- Related to Task #6849: brainstorm: should certain eve ouput types be removed (eg syslog) added
Updated by Jason Ish 3 months ago
- Related to Task #6851: eve/syslog: stats message too long for many default configurations added
Updated by Jason Ish 3 months ago
- Related to Task #7590: eve: remove syslog filetype added
Updated by Victor Julien 3 months ago
- Target version changed from 8.0.0-beta1 to 8.0.0-rc1
Updated by Philippe Antoine about 1 month ago
Is this about removing src/output-eve-syslog.c ?
Updated by Jason Ish 17 days ago
For 8 it would just mean marking it as deprecated. Removal would be 9. But I'm not so sure we should? I can't remember the recent discussion around this. Previously it was due to syslog message sizes, but I think modern Linux has much larger message sizes that should probably be retested.
Updated by Jason Ish 16 days ago
Some further tests on sizes. Modern Linux syslog no longer has short limits like 1k. Instead, it is serviced by systemd, at least on systemd Linux systems. I don't think we have to worry about the rest. My tests have shown that this method has a maximum message size of under 220000 bytes (but over 210000), and rsyslog is happy to consume it, provided you increase the maximum rsyslog message size which can be much larger than 220000 bytes.
Looking through my own events, I have one Suricata event that is 180856 bytes. This event contains payload, but it contains the base64 and printable versions of the payload, both disabled by default. So its a worst case and probably not typical of a deployment.
These modern syslog implementation are also happy to consume and parse JSON.
Updated by Jason Ish 16 days ago
- Related to Feature #2380: [discussion] deprecate: 'alert syslog' output added
Updated by Jason Ish 16 days ago
- Related to Task #7234: syslog: remove standalone syslog output added