Hi,
Thanks for the hint. I mananged to find a workaround:
If you include a “syslog” section directly under the “outputs” section it seems to work. Not in the “logging” and then “outputs” section.
See code below.
You even do not need to activate syslog in the “logging - output” section
# Configure the type of alert (and other) logging you would like.
outputs:
# a line based alerts log similar to Snort's fast.log
- fast:
enabled: yes
filename: fast.log
# filename: ../messages
append: yes
#filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
- syslog:
enabled: yes
facility: local5
identity: "scata"
format: ""
level: Info
# Stats.log contains data from various counters of the suricata engine.
- stats:
enabled: no
filename: stats.log
append: no # append to file (yes) or overwrite it (no)
totals: yes # stats for all threads merged together
threads: no # per thread stats
#null-values: yes # print counters that have value 0
# Extensible Event Format (nicknamed EVE) event log in JSON format
- eve-log:
enabled: no
filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
filename: eve.json
#prefix: "@cee: " # prefix to prepend to each log entry
# the following are valid when type: syslog above
#identity: "suricata"
#facility: local5
The Wireshark output is like this (anonymized):
scata[20094]: [Drop] [1:2028651:2] ET USER_AGENTS Steam HTTP Client User-Agent [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} zz.zz.zz.zz:yyy → xx.xx.xx.xx:bbb