Hello Christian,
the port is open in iptables but does rsyslog listen on the port 514 ?
do you have that is /etc/rsyslog.conf:
$ModLoad imudp
$UDPServerRun 514
and also what about:
cat "pipe file"
do you see something like suricata alerts ?
If yes then you can start to configure a violation based on suricata event.
Last thing, PacketFence needs to be aware of the dhcp traffic of your
production network, so you need to set ip-helper configuration on your
network to forward the traffic or use the dhcp forwarder on your
production dhcp server.
Regards
Fabrice
Le 19-02-21 à 22 h 42, Christian McDonald via PacketFence-users a écrit :
Greetings,
I have Suricata configured to forward logs via UDP to the PF
management IP. It looks like UDP prot 514 is already open on vanilla
PF install?
I have added and enabled the Suricata Syslog Parser and created the
fifo alert pipe.
What else remains to be done in order to start building violations
against Suricata events?
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
