<div dir="ltr">That's terrific, I'll give that a try.<div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Feb 13, 2014 at 12:40 PM, Victor Julien <span dir="ltr"><<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a>></span> wrote:<br>


<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div>On 02/13/2014 07:38 PM, Martin Holste wrote:<br>
> Writing to syslog is very important for large deployments with<br>
> centralized collection as well as saving IOPS that are spent writing to<br>
> disk unnecessarily. Syslog-NG can read JSON templates, so writing all of<br>
> these events to something like ELSA (which would be easy in<br>
> SecurityOnion) would easily enable searching and analytics based on the<br>
> wealth of data produced by the new logging framework. Dealing with<br>
> events in flat files adds a lot of complexity versus event streaming<br>
> using syslog.<br>
<br>
</div>Actually, the eve-log (the all json firehose) *does* support syslog:<br>
<br>
  # "United" event log in JSON format<br>
  - eve-log:<br>
      enabled: no<br>
      type: file #file|syslog|unix_dgram|unix_stream<br>
      filename: eve.json<br>
      # the following are valid when type: syslog above<br>
      #identity: "suricata"<br>
      #facility: local5<br>
      #level: Info ## possible levels: Emergency, Alert, Critical,<br>
                   ## Error, Warning, Notice, Info, Debug<br>
      types:<br>
        - alert<br>
        - http:<br>
            extended: yes     # enable this for extended logging information<br>
        - dns<br>
        - tls:<br>
            extended: yes     # enable this for extended logging information<br>
        - files:<br>
            force-magic: no   # force logging magic on all logged files<br>
            force-md5: no     # force logging of md5 checksums<br>
        #- drop<br>
<br>
So that might be good enough?<br>
<br>
Cheers,<br>
Victor<br>
<div><br>
><br>
> On Thu, Feb 13, 2014 at 11:55 AM, Victor Julien <<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a><br>
</div><div><div>> <mailto:<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a>>> wrote:<br>
><br>
>     On 02/12/2014 09:47 PM, Gofran, Paul wrote:<br>
>     > Can the log files (specifically HTTP log) natively log to the syslog<br>
>     > facility?<br>
><br>
>     No.<br>
><br>
>     > I wanted to follow up to see if this is something that is desired or<br>
>     > would be a priority?   Is this something that the project would prefer<br>
>     > to accept as a patch if contributed?  Or are there reasons why this<br>
>     > hasn’t been included?<br>
><br>
>     I think it wouldn't be hard to add, but I don't think it's a big<br>
>     priority for us. That said, there are some people that ask for it, so<br>
>     I'd be happy to take a patch.<br>
><br>
>     > I found the following forum where this was brought up awhile ago, did<br>
>     > anything ever come of it?<br>
>     ><br>
>     > <a href="http://comments.gmane.org/gmane.comp.security.ids.oisf.user/1358" target="_blank">http://comments.gmane.org/gmane.comp.security.ids.oisf.user/1358</a><br>
><br>
>     I don't think so. In irc we recently discussed the topic of log file<br>
>     rotation. I think Jason Ish might be working on something there.<br>
><br>
>     --<br>
>     ---------------------------------------------<br>
>     Victor Julien<br>
>     <a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>
>     PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
>     ---------------------------------------------<br>
><br>
>     _______________________________________________<br>
>     Suricata IDS Devel mailing list:<br>
>     <a href="mailto:oisf-devel@openinfosecfoundation.org" target="_blank">oisf-devel@openinfosecfoundation.org</a><br>
</div></div>>     <mailto:<a href="mailto:oisf-devel@openinfosecfoundation.org" target="_blank">oisf-devel@openinfosecfoundation.org</a>><br>
<div><div>>     Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Participate:<br>
>     <a href="http://suricata-ids.org/participate/" target="_blank">http://suricata-ids.org/participate/</a><br>
>     List:<br>
>     <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel</a><br>
>     Redmine: <a href="https://redmine.openinfosecfoundation.org/" target="_blank">https://redmine.openinfosecfoundation.org/</a><br>
><br>
><br>
<br>
<br>
--<br>
---------------------------------------------<br>
Victor Julien<br>
<a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>
PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
---------------------------------------------<br>
<br>
_______________________________________________<br>
Suricata IDS Devel mailing list: <a href="mailto:oisf-devel@openinfosecfoundation.org" target="_blank">oisf-devel@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Participate: <a href="http://suricata-ids.org/participate/" target="_blank">http://suricata-ids.org/participate/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel</a><br>
Redmine: <a href="https://redmine.openinfosecfoundation.org/" target="_blank">https://redmine.openinfosecfoundation.org/</a><br>
</div></div></blockquote></div><br></div></div>