I don't have access to network traffic to see if they're even being sent out of the indexers - I suspect not, because I do see them when I use the defaultGroup in the [syslog] stanza. The receiver shouldn't be an issue - I can telnet to it and type nonsense and it records it...
Multiple lines per event, they're definitely large (and one of the reasons I have MaxEventSize fairly high.
I could setup rsyslog on the suricata boxes, but I really want to avoid that if I can - it's not easy to manage cleanly even with Ansible and I think in the past they've had issues between syslog, systemd and the event rate... To me, this should work as I've configured it, and I'd rather try and do it this way before doing something else.
... View more