FEATURE: pfSense Suricata logs #12653
Comments
|
Excellent to see this being picked up! Also ideal would be to have the messages integrated with the existent capability to pick up syslog traffic from capture interfaces, enabling airgapped setups to also benefit from the Suricata log exposure over syslog. This will benefit environments where both an in-band system and a completely offline installation of SO exist. |
|
@weslambert Great work, a sidenote: you may want to add a mention to the documentation that pf/OPNsense and co, might be liable to string truncation. I'm not entirely sure if that is still an issue but it has manifested in the past, you might need to spin up a test setup to verify (I would do so myself if I had one right now). A quick test for end users would be to run tcpdump with -A/decoder modifiers or grab a pcap of the syslog traffic and have a gander with Wireshark. Truncated EVE messages will be immediately obvious as they won't conform to EVE/json format. EVE logs are especially fragile if syslog messages get truncated. |
Discussed in #12558
Originally posted by thedeadliestcatch March 11, 2024
The pfSense integration does not support Suricata logs being sent over via the syslog listener.
Is there a way with 2.4 to ingest Suricata logs from Pfsense?
Either from the same pipeline for the pfSense integration or by setting up an additional logging target (which can be done to separate the Suricata messages)
Beats has been removed mostly, and there is no documentation on setting it up for 2.4 or adding additional inputs to Logstash. ELastic Agent does not work on FreeBSD.
A workaround is to setup syslog-ng in a host and then send over the Suricata logs, installing Elastic Agent alongside that, but that's a questionable solution.
The text was updated successfully, but these errors were encountered: