Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

IPS syslog does not show all alerts #2809

Closed
chiel1980 opened this issue Oct 12, 2018 · 5 comments

Comments

@chiel1980
Copy link

commented Oct 12, 2018

As documented here (https://forum.opnsense.org/index.php?topic=7532.0) and here (https://forum.opnsense.org/index.php?topic=7402.15) it seems that not all alerts end up in the syslog.
I am not sure if this is a bug or a 'works as expected' but it would be great if all alerts end up in the syslog so the rsyslog server can parse the alerts with some logging tool (ELK) or monitoring tool (monit/ossec).
An example:

2018-10-11T15:08:06.596797+0200   blocked   LAN   118.123.15.142   52566   192.168.1.25   22   ET SCAN Potential SSH Scan   
2018-10-11T15:03:13.485746+0200   blocked   LAN   192.168.1.116   47408   62.112.238.55   80   ET TROJAN Zberp receiving conf..

root@bananapi:~# grep 'ET SCAN' /var/log/syslog | grep '15:08'
Oct 11 15:08:06 vuurmuur.protegam.lan suricata[46424]: [Drop] [1:2001219:20] ET SCAN Potential SSH Scan [Classification: Attempted Information Leak] [Priority: 2] {TCP} 118.123.15.142:52566 -> 192.168.1.25:22

root@bananapi:~# grep -c 'TROJAN' /var/log/syslog
0
@fichtner

This comment has been minimized.

Copy link
Member

commented Oct 16, 2018

Are you sure that UDP does not drop syslog events? I still have TCP support in my wish list on the basis of syslog-ng for that particular reason, especially if a lot of events are generated on the OPNsense.

@fichtner fichtner added the support label Oct 16, 2018
@chiel1980

This comment has been minimized.

Copy link
Author

commented Oct 16, 2018

Pretty positive, it's low traffic at home where opnsense is my gateway. The rsyslog is a gigabit banana pi doing nothing but rsyslog. Also removed the firewall pass entries from the syslog settings.
I don't have the issues using offense and snort with syslog using more signatures then with opnsense and suricata.
Rsyslog traffic is low.

@fichtner fichtner added bug and removed support labels Oct 17, 2018
@fichtner fichtner self-assigned this Oct 17, 2018
@fichtner fichtner added this to the 19.1 milestone Oct 17, 2018
@ashceryth

This comment has been minimized.

Copy link

commented Oct 21, 2018

I ran into a very similar issue when trying to send suricata eve json logs to a remote syslog-ng. Some of the messages are simply cut off and then cannot be parsed by logstash json plugin. I think the size of the UDP datagrams limits the message length transmitted to the remote server. So the switch to syslog-ng would be fantastic.

@fichtner

This comment has been minimized.

Copy link
Member

commented Nov 11, 2018

There is a patch here a83e72a

Not sure it helps, but you can try and report back:

# opnsense-patch a83e72ac

then restart suricata (apply button)

@fichtner fichtner closed this Nov 11, 2018
@fichtner fichtner reopened this Nov 11, 2018
@fichtner fichtner modified the milestones: 19.1, 19.7 Jan 20, 2019
@fichtner

This comment has been minimized.

Copy link
Member

commented Feb 11, 2019

I can't find a reference of why I reopened this. No feedback since November would indicate it works better than before for one reason or another. Feel free to update if not.

@fichtner fichtner closed this Feb 11, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.