Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IPS syslog does not show all alerts #2809

Closed
chiel1980 opened this issue Oct 12, 2018 · 5 comments
Closed

IPS syslog does not show all alerts #2809

chiel1980 opened this issue Oct 12, 2018 · 5 comments
Assignees
@fichtner
Labels
bug Production bug
Milestone
19.7

Comments

@chiel1980
Copy link

chiel1980 commented Oct 12, 2018
edited
Loading

As documented here (https://forum.opnsense.org/index.php?topic=7532.0) and here (https://forum.opnsense.org/index.php?topic=7402.15) it seems that not all alerts end up in the syslog.
I am not sure if this is a bug or a 'works as expected' but it would be great if all alerts end up in the syslog so the rsyslog server can parse the alerts with some logging tool (ELK) or monitoring tool (monit/ossec).
An example:

2018-10-11T15:08:06.596797+0200   blocked   LAN   118.123.15.142   52566   192.168.1.25   22   ET SCAN Potential SSH Scan   
2018-10-11T15:03:13.485746+0200   blocked   LAN   192.168.1.116   47408   62.112.238.55   80   ET TROJAN Zberp receiving conf..

root@bananapi:~# grep 'ET SCAN' /var/log/syslog | grep '15:08'
Oct 11 15:08:06 vuurmuur.protegam.lan suricata[46424]: [Drop] [1:2001219:20] ET SCAN Potential SSH Scan [Classification: Attempted Information Leak] [Priority: 2] {TCP} 118.123.15.142:52566 -> 192.168.1.25:22

root@bananapi:~# grep -c 'TROJAN' /var/log/syslog
0
@fichtner
Copy link
Member

Are you sure that UDP does not drop syslog events? I still have TCP support in my wish list on the basis of syslog-ng for that particular reason, especially if a lot of events are generated on the OPNsense.

@fichtner fichtner added the support Community support label Oct 16, 2018
@chiel1980
Copy link
Author

Pretty positive, it's low traffic at home where opnsense is my gateway. The rsyslog is a gigabit banana pi doing nothing but rsyslog. Also removed the firewall pass entries from the syslog settings.
I don't have the issues using offense and snort with syslog using more signatures then with opnsense and suricata.
Rsyslog traffic is low.

@fichtner fichtner added bug Production bug and removed support Community support labels Oct 17, 2018
@fichtner fichtner self-assigned this Oct 17, 2018
@fichtner fichtner added this to the 19.1 milestone Oct 17, 2018
@ashceryth
Copy link

I ran into a very similar issue when trying to send suricata eve json logs to a remote syslog-ng. Some of the messages are simply cut off and then cannot be parsed by logstash json plugin. I think the size of the UDP datagrams limits the message length transmitted to the remote server. So the switch to syslog-ng would be fantastic.

@fichtner
Copy link
Member

There is a patch here a83e72ac

Not sure it helps, but you can try and report back:

# opnsense-patch a83e72ac

then restart suricata (apply button)

@fichtner fichtner reopened this Nov 11, 2018
@fichtner fichtner modified the milestones: 19.1, 19.7 Jan 20, 2019
@fichtner
Copy link
Member

I can't find a reference of why I reopened this. No feedback since November would indicate it works better than before for one reason or another. Feel free to update if not.

Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fichtner fichtner

Labels
bug Production bug
Milestone
19.7
Development

No branches or pull requests
3 participants
@fichtner @chiel1980 @ashceryth