I'm looking for the correct information to send syslog based alert data from a remote Suricata sensor to Packet fence. I'm unsure of how to make PacketFence know that it will be getting alerts via syslog . I've tried to find the appropriate documentation regarding this, however it seems a bit hard to locate. Can anyone point me in the correct direction?
So far I think I would need to change suricata.yaml to reflect the following items (I'd be grateful for any advice there): # a line based alerts log similar to fast.log into syslog - syslog: enabled: yes identity: "suricata" facility: local5 level: Alert # Define your logging outputs. If none are defined, or they are all # disabled you will get the default - console output. outputs: - console: enabled: no - file: enabled: yes filename: /var/log/suricata.log - syslog: enabled: yes facility: local5 format: "[%i] <%d> -- " I'm using vanilla syslogd on FreeBSD as my syslog on the sensor. I realize I will have to make some changes to its config to forward the alerts to the PacketFence server. I'm not even sure if the syslog format that will be input from suricata to syslogd will be compatible. I might have to manipulate it with a template in the conf file. I'm happy to do the reading. I've googled and googled and found not much of any meaningful info where this topic is concerned. I was hoping someone might know of some useful documentation on how to manipulate PacketFence and get it to start acting on Suricata alerts... Chris Boley | Network Engineer | Cogentrix Energy Power Management, LLC ------------------------------------------------------------------------------ _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users