Actions
Feature #2671
closedAdd Log level to suricata.log when using JSON type
Effort:
low
Difficulty:
low
Label:
Description
Currently the log level (Info, Warning, Error, etc.) is missing from the suricata.log file when choosing JSON as the type.
Here is an example of the log output in 4.0.5:
{"timestamp":"2018-11-09T10:43:51.454590-0600","event_type":"engine","engine":{"message":"This is Suricata version 4.0.5 RELEASE"}}
{"timestamp":"2018-11-09T10:43:51.454766-0600","event_type":"engine","engine":{"message":"CPUs\/cores online: 1"}}
{"timestamp":"2018-11-09T10:43:51.459482-0600","event_type":"engine","engine":{"message":"Found an MTU of 1500 for 'eth0'"}}
{"timestamp":"2018-11-09T10:43:51.459548-0600","event_type":"engine","engine":{"message":"Found an MTU of 1500 for 'eth0'"}}
{"timestamp":"2018-11-09T10:43:51.482034-0600","event_type":"engine","engine":{"message":"Running in live mode, activating unix socket"}}
This request is to add the log level, as this is useful when using logging for alerting purposes.
An example of the desired output is:
{"timestamp":"2018-11-09T12:05:27.806528-0600","log_level":"Notice","event_type":"engine","engine":{"message":"This is Suricata version 4.0.5 RELEASE"}}
{"timestamp":"2018-11-09T12:05:27.806976-0600","log_level":"Info","event_type":"engine","engine":{"message":"CPUs\/cores online: 1"}}
{"timestamp":"2018-11-09T12:05:27.812498-0600","log_level":"Info","event_type":"engine","engine":{"message":"Found an MTU of 1500 for 'eth0'"}}
{"timestamp":"2018-11-09T12:05:27.812555-0600","log_level":"Info","event_type":"engine","engine":{"message":"Found an MTU of 1500 for 'eth0'"}}
Updated by Eric Urban almost 6 years ago
It is true that error level messages do have extra info added, so it would be possible to alert on errors. However, it seems nice to have the log level always available.
An example of an error event:
{"timestamp":"2018-11-12T12:02:39.566766-0600","event_type":"engine","engine":{"error_code":43,"error":"SC_ERR_NO_RULES_LOADED","message":"Loading signatures failed."}}
It still seems to me it would be appropriate to have something like:
{"timestamp":"2018-11-12T12:02:39.566766-0600","log_level":"Error","event_type":"engine","engine":{"error_code":43,"error":"SC_ERR_NO_RULES_LOADED","message":"Loading signatures failed."}}
Updated by Eric Urban almost 6 years ago
Updated by Victor Julien almost 6 years ago
- Status changed from New to Closed
- Target version set to 4.1.1
Actions