Logger module ignores the config

[victorazzam]

Hi folks!

I've been experiencing issues with getting Pulsar to produce JSON output. I am running Pulsar in a test environment and it correctly logs threat events based on a couple of rules I defined. The trouble is that the only output I am getting is in the console and in the default format. It seems the logger config is being ignored, and I can't find anything in the syslog even with it enabled.

Please excuse my naiveté in case I misunderstood the premise of the logger module entirely. Nonetheless, how do I troubleshoot this dillemma? Thanks in advance!

[banditopazzo]

Hi, thank for reaching us.

The first thing you can do is to run pulsar-exec pulsar config -m logger (or pulsar instead of pulsar-exec pulsar if you have the helper scripts) to check the configuration.

I tried the main branch with the following configuration in the pulsar.ini and I am getting the JSON output and syslog messages:

# ...

[logger]
output_format=json
syslog=true

# ...

can you send your logger configuration?

[victorazzam]

$ pulsar config -m logger
+---------------+-------+
| KEY           | VALUE |
+=======================+
| console       | true  |
|---------------+-------|
| enabled       | true  |
|---------------+-------|
| output_format | json  |
|---------------+-------|
| syslog        | true  |
+---------------+-------+

For completeness, here is how I ran it:

$ ps -ax | grep pulsar
2868465 ?        S      0:00 sh /usr/bin/pulsard --config-file /var/lib/pulsar/pulsar.ini
2868466 ?        Sl     5:39 /usr/bin/pulsar-exec pulsard --config-file /var/lib/pulsar/pulsar.ini

[victorazzam]

I later tried running it within Docker (--privileged --net=host --pid=host --cgroupns=host) and still no dice. Should I be seeing JSON in the standard output/error using the above config?

[victorazzam]

Regarding syslog any ideas why could this be?