Stop suricata/syslog from outputting to console

yanovse · March 16, 2026, 6:36pm

Hello all,

I’m trying to setup vyos with suricata and send the logs to a remote syslog server. However, all output is printed to console. The console is absolutely unworkable with this output. How can I manage/stop the output from flooding my console.

example console output:

Message from syslogd@vyos at Mar 16 18:23:17 ...
 suricata[3860]:{"timestamp":"2026-03-16T18:23:17.478329+0000","flow_id":4901417913679168,"in_iface":"eth0","event_type":"dns","src_ip":"<REDACTED>",
...snip...

I basically took the suricata config from this post.

My config:

interfaces {
    ethernet eth0 {
        address dhcp
        hw-id <REDACTED>
        offload {
            gro
            gso
            sg
            tso
        }
    }
    ethernet eth1 {
        address <REDACTED_LAN_IP>
        hw-id <REDACTED>
    }
    loopback lo {
    }
}
nat {
    source {
        rule 100 {
            outbound-interface {
                name eth0
            }
            source {
                address <REDACTED>
            }
            translation {
                address masquerade
            }
        }
    }
}
service {
    dhcp-server {
        shared-network-name lan {
            subnet <REDACTED> {
                option {
                    default-router <REDACTED>
                    name-server 8.8.8.8
                }
                range 1 {
                    start <REDACTED>
                    stop <REDACTED>
                }
                subnet-id 1
            }
        }
    }
    ntp {
        allow-client {
            address 127.0.0.0/8
            address 169.254.0.0/16
            address 10.0.0.0/8
            address 172.16.0.0/12
            address 192.168.0.0/16
            address ::1/128
            address fe80::/10
            address fc00::/7
        }
        server time1.vyos.net {
        }
        server time2.vyos.net {
        }
        server time3.vyos.net {
        }
    }
    ssh {
    }
    suricata {
        address-group aim-servers {
            group external-net
        }
        address-group dc-servers {
            group home-net
        }
        address-group dns-servers {
            group home-net
        }
        address-group external-net {
            group !home-net
        }
        address-group home-net {
            address <REDACTED_HOME_NET>
        }
        address-group http-servers {
            group home-net
        }
        address-group smtp-servers {
            group home-net
        }
        address-group sql-servers {
            group home-net
        }
        address-group telnet-servers {
            group home-net
        }
        interface eth0
        log {
            eve {
                filetype syslog
                type alert
                type drop
                type dns
                type http
            }
        }
        port-group all-ports {
            port 1-65535
        }
        port-group file-data-ports {
            group http-ports
            port 110
            port 143
        }
        port-group ftp-ports {
            port 21
        }
        port-group geneve-ports {
            port 6081
        }
        port-group http-ports {
            port 80
        }
        port-group oracle-ports {
            port 1521
        }
        port-group shellcode-ports {
            port !80
        }
        port-group ssh-ports {
            port 22
        }
        port-group teredo-ports {
            port 3544
        }
        port-group vxlan-ports {
            port 4789
        }
    }
}
system {
    config-management {
        commit-revisions 100
    }
    console {
        device ttyS0 {
            speed 115200
        }
    }
    host-name vyos
    login {
        operator-group default {
            command-policy {
                allow "*"
            }
        }
        user <REDACTED> {
            authentication {
                encrypted-password <REDACTED>
                plaintext-password <REDACTED>
            }
        }
    }
    name-server 8.8.8.8
    option {
        reboot-on-upgrade-failure 5
    }
    syslog {
        local {
            facility all {
                level info
            }
            facility local7 {
                level debug
            }
        }
        remote <syslog_server_ip> {
        }
    }
}

PaddraighOS · March 30, 2026, 3:36pm

The flooding is from Suricata’s eve `filetype syslog` pumping high-volume JSON into syslogd, which then broadcasts to all console sessions. Two ways to fix it.

**Option 1 (cleanest)** - change to file logging instead of syslog:

```

delete service suricata interface eth0 log eve filetype

set service suricata interface eth0 log eve filetype regular

```

That stops the console flooding entirely and writes to `/var/log/suricata/eve.json` by default. You can then have rsyslog tail that file and forward to your remote syslog server using the `imfile` module if needed.

**Option 2** - keep `filetype syslog` but silence the console. Suricata logs via facility `local7` by default. Bump the console threshold so it stops appearing there:

```

set system syslog console facility local7 level emerg

```

That suppresses everything below emergency from hitting the console. Either way your remote syslog forwarding should keep working fine - it’s just the console spam that stops.

gorczjacky · March 31, 2026, 4:25am

geometry dash wrote:

Hello all,

I’m trying to setup vyos with suricata and send the logs to a remote syslog server. However, all output is printed to console. The console is absolutely unworkable with this output. How can I manage/stop the output from flooding my console.

example console output:

Message from syslogd@vyos at Mar 16 18:23:17 ... suricata[3860]:{"timestamp":"2026-03-16T18:23:17.478329+0000","flow_id":4901417913679168,"in_iface":"eth0","event_type":"dns","src_ip":"<REDACTED>", ...snip...

I basically took the suricata config from this post.

My config:

interfaces {
    ethernet eth0 {
        address dhcp
        hw-id <REDACTED>
        offload {
            gro
            gso
            sg
            tso
        }
    }
    ethernet eth1 {
        address <REDACTED_LAN_IP>
        hw-id <REDACTED>
    }
    loopback lo {
    }
}
nat {
    source {
        rule 100 {
            outbound-interface {
                name eth0
            }
            source {
                address <REDACTED>
            }
            translation {
                address masquerade
            }
        }
    }
}
service {
    dhcp-server {
        shared-network-name lan {
            subnet <REDACTED> {
                option {
                    default-router <REDACTED>
                    name-server 8.8.8.8
                }
                range 1 {
                    start <REDACTED>
                    stop <REDACTED>
                }
                subnet-id 1
            }
        }
    }
    ntp {
        allow-client {
            address 127.0.0.0/8
            address 169.254.0.0/16
            address 10.0.0.0/8
            address 172.16.0.0/12
            address 192.168.0.0/16
            address ::1/128
            address fe80::/10
            address fc00::/7
        }
        server time1.vyos.net {
        }
        server time2.vyos.net {
        }
        server time3.vyos.net {
        }
    }
    ssh {
    }
    suricata {
        address-group aim-servers {
            group external-net
        }
        address-group dc-servers {
            group home-net
        }
        address-group dns-servers {
            group home-net
        }
        address-group external-net {
            group !home-net
        }
        address-group home-net {
            address <REDACTED_HOME_NET>
        }
        address-group http-servers {
            group home-net
        }
        address-group smtp-servers {
            group home-net
        }
        address-group sql-servers {
            group home-net
        }
        address-group telnet-servers {
            group home-net
        }
        interface eth0
        log {
            eve {
                filetype syslog
                type alert
                type drop
                type dns
                type http
            }
        }
        port-group all-ports {
            port 1-65535
        }
        port-group file-data-ports {
            group http-ports
            port 110
            port 143
        }
        port-group ftp-ports {
            port 21
        }
        port-group geneve-ports {
            port 6081
        }
        port-group http-ports {
            port 80
        }
        port-group oracle-ports {
            port 1521
        }
        port-group shellcode-ports {
            port !80
        }
        port-group ssh-ports {
            port 22
        }
        port-group teredo-ports {
            port 3544
        }
        port-group vxlan-ports {
            port 4789
        }
    }
}
system {
    config-management {
        commit-revisions 100
    }
    console {
        device ttyS0 {
            speed 115200
        }
    }
    host-name vyos
    login {
        operator-group default {
            command-policy {
                allow "*"
            }
        }
        user <REDACTED> {
            authentication {
                encrypted-password <REDACTED>
                plaintext-password <REDACTED>
            }
        }
    }
    name-server 8.8.8.8
    option {
        reboot-on-upgrade-failure 5
    }
    syslog {
        local {
            facility all {
                level info
            }
            facility local7 {
                level debug
            }
        }
        remote <syslog_server_ip> {
        }
    }
}

If the VyOS CLI doesn’t give you enough granularity, you may need to look at the underlying rsyslog quirks, but usually, adjusting the system syslog local facility all level to notice or warning is enough to clear the console flood.

Give that a shot and let us know if the logs stop appearing on the CLI!

Your current config shows:

system { syslog { local { facility all { level info } } } }

This is very “chatty.” Suricata EVE logs via syslog often use the info level. You can try changing the local facility to a higher level (like err or warning) so they don’t print locally, while keeping the remote server config as is.

Apachez · March 31, 2026, 4:55am

According to the docs:

By default, VyOS provides a minimal logging configuration with local storage and log rotation. All errors, including local7 messages, are saved to a local file. Emergency alerts are sent to the console.

So out of the blue it feels like VyOS should already have sane defaults of what is being logged where.

As in local and remote log gets all log thats produced while console gets only emergency (or higher) messages.

It also says to define whats being logged to the console you will be using:

set system syslog console facility <keyword> level <keyword>

So I think that in this case you perhaps should remove that “facility local7” line (since I would expect that to already be covered by the “facility all” line - meaning all logs at level info or above will be stored locally), let that remote line remain (for remote logging) but add something like this to only get emergency (or above) messages printed to the console:

set system syslog console facility all level emerg

as suggested by PaddraighOS.