You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In the past, when I was using SO 2.3 I was able to implement this change by modifying my sensor's pillar sls file and adding my additional eve-log section to the suricata config like this:
Now that I'm using SO 2.4.10 I have tried to make this same change but have not succeeded. I tried using the SOC's Configuration page adding my YAML in suricata>advanced but it did not seem to apply my custom config. This is the custom YAML I tried, but it doesn't seem to be applied to my sensor's /opt/so/conf/suricata/suricata.yaml after running a highstate:
Discussed in #11368
Originally posted by senatesan September 21, 2023
Version
2.4.10
Installation Method
Security Onion ISO image
Description
configuration
Installation Type
Distributed
Location
on-prem with Internet access
Hardware Specs
Meets minimum requirements
CPU
8
RAM
16
Storage for /
162
Storage for /nsm
326
Network Traffic Collection
span port
Network Traffic Speeds
Less than 1Gbps
Status
Yes, all services on all nodes are running OK
Salt Status
No, there are no failures
Logs
No, there are no additional clues
Detail
I need to have multiple suricata eve logger instances for a customization I'm working on. The process to do this in suricata is documented here https://docs.suricata.io/en/suricata-6.0.13/output/eve/eve-json-output.html#multiple-logger-instances.
In the past, when I was using SO 2.3 I was able to implement this change by modifying my sensor's pillar sls file and adding my additional
eve-log
section to the suricata config like this:Now that I'm using SO 2.4.10 I have tried to make this same change but have not succeeded. I tried using the SOC's Configuration page adding my YAML in
suricata>advanced
but it did not seem to apply my custom config. This is the custom YAML I tried, but it doesn't seem to be applied to my sensor's/opt/so/conf/suricata/suricata.yaml
after running a highstate:What is the best way to make this custom config change to Suricata? Is there any other way to create multiple eve logger instances?
The text was updated successfully, but these errors were encountered: