I'm looking for the correct information to send syslog based alert data from a
remote Suricata sensor to Packet fence.
I'm unsure of how to make PacketFence know that it will be getting alerts via
syslog .
I've tried to find the appropriate documentation regarding this, however it
seems a bit hard to locate.
Can anyone point me in the correct direction?
So far I think I would need to change suricata.yaml to reflect the following
items (I'd be grateful for any advice there):
# a line based alerts log similar to fast.log into syslog
- syslog:
enabled: yes
identity: "suricata"
facility: local5
level: Alert
# Define your logging outputs. If none are defined, or they are all
# disabled you will get the default - console output.
outputs:
- console:
enabled: no
- file:
enabled: yes
filename: /var/log/suricata.log
- syslog:
enabled: yes
facility: local5
format: "[%i] <%d> -- "
I'm using vanilla syslogd on FreeBSD as my syslog on the sensor.
I realize I will have to make some changes to its config to forward the alerts
to the PacketFence server.
I'm not even sure if the syslog format that will be input from suricata to
syslogd will be compatible.
I might have to manipulate it with a template in the conf file.
I'm happy to do the reading.
I've googled and googled and found not much of any meaningful info where this
topic is concerned.
I was hoping someone might know of some useful documentation on how to
manipulate PacketFence and get it to start acting on Suricata alerts...
Chris Boley | Network Engineer | Cogentrix Energy Power Management, LLC
------------------------------------------------------------------------------
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
