control: tags -1 moreinfo control: severity -1 wishlist thanks On Mon, 15 May 2017 10:42:03 +0200
> I am very happy with logcheck. It is great working and very usefull. However, > it would be nice, if you could add a ruleset for suricata (a successor to the > well known snort IDS), so I get alerted, when something fishy is going on. It's a shame no-one replied to this bug from 2017 - let's change that now. >In my case logcheck is run every 30 minutes, so I am very fast aware, when an >attack is going on. On the other hand, I found no realtime alert option with >suricata. Best way, IMO, would be a ruleset for suricata logs, which do alert >me by mail (as logcheck normally do). Unfortunately more information is needed to help this. Is the request to use logcheck to scan non-log files created by suricata? you can definitely do that but would need to write your own rules to ignore things that are not "fishy". ...but i dont think logcheck-database should ship such rules unless there is clear demand. It looks like suricata can send its own alerts so not sure this is even needed in 2024? If there are messages produced by suricata in the journal that logcheck should be filtering, then we need to know what those are? (In the absence of more information we would likely close this bug as unactionable)
