<div dir="ltr">That's terrific, I'll give that a try.<div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Feb 13, 2014 at 12:40 PM, Victor Julien <span dir="ltr"><<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div>On 02/13/2014 07:38 PM, Martin Holste wrote:<br>
> Writing to syslog is very important for large deployments with<br>
> centralized collection as well as saving IOPS that are spent writing to<br>
> disk unnecessarily. Syslog-NG can read JSON templates, so writing all of<br>
> these events to something like ELSA (which would be easy in<br>
> SecurityOnion) would easily enable searching and analytics based on the<br>
> wealth of data produced by the new logging framework. Dealing with<br>
> events in flat files adds a lot of complexity versus event streaming<br>
> using syslog.<br>
<br>
</div>Actually, the eve-log (the all json firehose) *does* support syslog:<br>
<br>
# "United" event log in JSON format<br>
- eve-log:<br>
enabled: no<br>
type: file #file|syslog|unix_dgram|unix_stream<br>
filename: eve.json<br>
# the following are valid when type: syslog above<br>
#identity: "suricata"<br>
#facility: local5<br>
#level: Info ## possible levels: Emergency, Alert, Critical,<br>
## Error, Warning, Notice, Info, Debug<br>
types:<br>
- alert<br>
- http:<br>
extended: yes # enable this for extended logging information<br>
- dns<br>
- tls:<br>
extended: yes # enable this for extended logging information<br>
- files:<br>
force-magic: no # force logging magic on all logged files<br>
force-md5: no # force logging of md5 checksums<br>
#- drop<br>
<br>
So that might be good enough?<br>
<br>
Cheers,<br>
Victor<br>
<div><br>
><br>
> On Thu, Feb 13, 2014 at 11:55 AM, Victor Julien <<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a><br>
</div><div><div>> <mailto:<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a>>> wrote:<br>
><br>
> On 02/12/2014 09:47 PM, Gofran, Paul wrote:<br>
> > Can the log files (specifically HTTP log) natively log to the syslog<br>
> > facility?<br>
><br>
> No.<br>
><br>
> > I wanted to follow up to see if this is something that is desired or<br>
> > would be a priority? Is this something that the project would prefer<br>
> > to accept as a patch if contributed? Or are there reasons why this<br>
> > hasn’t been included?<br>
><br>
> I think it wouldn't be hard to add, but I don't think it's a big<br>
> priority for us. That said, there are some people that ask for it, so<br>
> I'd be happy to take a patch.<br>
><br>
> > I found the following forum where this was brought up awhile ago, did<br>
> > anything ever come of it?<br>
> ><br>
> > <a href="http://comments.gmane.org/gmane.comp.security.ids.oisf.user/1358" target="_blank">http://comments.gmane.org/gmane.comp.security.ids.oisf.user/1358</a><br>
><br>
> I don't think so. In irc we recently discussed the topic of log file<br>
> rotation. I think Jason Ish might be working on something there.<br>
><br>
> --<br>
> ---------------------------------------------<br>
> Victor Julien<br>
> <a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>
> PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
> ---------------------------------------------<br>
><br>
> _______________________________________________<br>
> Suricata IDS Devel mailing list:<br>
> <a href="mailto:oisf-devel@openinfosecfoundation.org" target="_blank">oisf-devel@openinfosecfoundation.org</a><br>
</div></div>> <mailto:<a href="mailto:oisf-devel@openinfosecfoundation.org" target="_blank">oisf-devel@openinfosecfoundation.org</a>><br>
<div><div>> Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Participate:<br>
> <a href="http://suricata-ids.org/participate/" target="_blank">http://suricata-ids.org/participate/</a><br>
> List:<br>
> <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel</a><br>
> Redmine: <a href="https://redmine.openinfosecfoundation.org/" target="_blank">https://redmine.openinfosecfoundation.org/</a><br>
><br>
><br>
<br>
<br>
--<br>
---------------------------------------------<br>
Victor Julien<br>
<a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>
PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
---------------------------------------------<br>
<br>
_______________________________________________<br>
Suricata IDS Devel mailing list: <a href="mailto:oisf-devel@openinfosecfoundation.org" target="_blank">oisf-devel@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Participate: <a href="http://suricata-ids.org/participate/" target="_blank">http://suricata-ids.org/participate/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel</a><br>
Redmine: <a href="https://redmine.openinfosecfoundation.org/" target="_blank">https://redmine.openinfosecfoundation.org/</a><br>
</div></div></blockquote></div><br></div></div>