caliskanfurkan / enterprise-log-search-and-archive

Automatically exported from code.google.com/p/enterprise-log-search-and-archive
0 stars 0 forks source link

Snort alerts given class NONE (#134 again) #141

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1.  Same issue as #134

What is the expected output? What do you see instead?
correct "class=SNORT"

What version of the product are you using? On what operating system?
Ubuntu 12.04 LTS

Please provide any additional information below.
I upgraded ELSA to take advantage of some fixes and restored my local rewrites. 
 I've noticed two things.  
1.  snort alerts are being assigned class=NONE once again (same issue as #134)
2.  The number of logs indexed has doubled.  I was just under 1M records and 
immediately after upgrading I'm at 1.9M.  Probably not too important, but 
strange.  

I attempted to fix this as before by commenting out the parser line, but that 
doesn't seem to be working.  

Thanks!

Original issue reported on code.google.com by br...@hurrikane.net on 16 May 2013 at 8:55

GoogleCodeExporter commented 9 years ago
This has to be something in the syslog-ng.conf file.  I just overwrote the 
latest file with my backup copy which was working just prior to upgrading and 
we're good once again.  

Original comment by br...@hurrikane.net on 16 May 2013 at 9:07

GoogleCodeExporter commented 9 years ago
Ok, this sounds like a documentation bug.  What happens at update/install is 
that /usr/local/elsa/node/conf/patterndb.xml is copied to /etc/elsa/patterns.d, 
overwriting whatever is there (this is so new patterns can be added).  Then, 
everything in /etc/elsa/patterns.d is merged to 
/usr/local/elsa/node/conf/merged.xml, which is what is referred to in the 
/usr/local/syslog-ng/etc/syslog-ng.conf file that controls what parser is 
loaded.  So, if you make edits, you need to put them in a separate file from 
/etc/elsa/patterns.d/patterndb.xml since it gets overwritten, and you need to 
check the behavior for how the pattern may conflict with the stock pattern.  
What's the diff between your working pattern and the stock pattern?

Original comment by mchol...@gmail.com on 17 May 2013 at 9:42

GoogleCodeExporter commented 9 years ago
I just did an upgrade to v968 and whatever this issue was appears to be 
resolved.  Thanks!

Original comment by br...@hurrikane.net on 12 Jul 2013 at 3:52

GoogleCodeExporter commented 9 years ago
Great!

Original comment by mchol...@gmail.com on 12 Jul 2013 at 10:09