Hello,
it is possible to transfer the IDS log messages via syslog to my syslog server (graylog)?
See Remote logging section of the wiki page on Log Settings
https://wiki.ipfire.org/configuration/logs/logsettings
This will send all the logs to your remote syslog.
If you only want to send the IDS logs and nothing else, that can’t be done by IPFire. You would have to look at filtering the incoming logs at your remote syslog to only accept the IDS logs.
Thanks for fast response. Syslog is already configured but it not include the messages from IPS Log.
Okay, so I had a look through the code for the remote syslog assignment and as far as I can see it just adds the hostname for the remote syslog to get the logging information.
I then looked at the /var/log
directory.
There is suricata data in the /var/log/messages
file but that seems to only contain Errorcodes about flowbits being checked but not set. This log data is what gets shown in the System Logs menu when Intrusion Prevention is selected from the drop down box.
The IPS logs from the intrusion evaluation against the rules are in /var/log/suricata/fast.log
which is the source of what is shown on the Logs - IPS Logs WUI menu which you showed.
It looks to me like the logs that are going into the messages file are the ones being sent to the remote syslog but not the logs going into the fast.log file
I have not read the code enough yet to be sure of this and there are some programs written in c which I am totally unfamiliar with but I have the suspicion that the stuff going to the fast.log file is not getting sent to the defined remote syslog.
I will try and look at it more but maybe others are better able to review the code for this.
This would then sound like a bug if my above findings and interpretation are correct.
I have found the suricata.yaml file which defines the logging required within it.
This has the fast.log option enabled but there is also a syslog option enabled but it is not clear to me that if the fast.log is enabled whether the syslog option being enabled sends the log info to the IPFire syslog or not.
Either way, I think I have come to the conclusion that as you are successfully getting the other logging info sent to your remote syslog but not the IPS logs then that does count as a bug and you should raise it in the IPFire Bugzilla.
Your IPFire People email address and password credentials will a;also log you in to the IPFire bugzilla.
https://wiki.ipfire.org/devel/bugzilla
https://bugzilla.ipfire.org/
Work around described here and in the bug report.
My be help full
when activation the following setting