<div dir="ltr">Writing to syslog is very important for large deployments with centralized collection as well as saving IOPS that are spent writing to disk unnecessarily. Syslog-NG can read JSON templates, so writing all of these events to something like ELSA (which would be easy in SecurityOnion) would easily enable searching and analytics based on the wealth of data produced by the new logging framework. Dealing with events in flat files adds a lot of complexity versus event streaming using syslog.</div>
<div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Feb 13, 2014 at 11:55 AM, Victor Julien <span dir="ltr"><<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="">On 02/12/2014 09:47 PM, Gofran, Paul wrote:<br>
> Can the log files (specifically HTTP log) natively log to the syslog<br>
> facility?<br>
<br>
</div>No.<br>
<div class=""><br>
> I wanted to follow up to see if this is something that is desired or<br>
> would be a priority? Is this something that the project would prefer<br>
> to accept as a patch if contributed? Or are there reasons why this<br>
> hasn’t been included?<br>
<br>
</div>I think it wouldn't be hard to add, but I don't think it's a big<br>
priority for us. That said, there are some people that ask for it, so<br>
I'd be happy to take a patch.<br>
<div class=""><br>
> I found the following forum where this was brought up awhile ago, did<br>
> anything ever come of it?<br>
><br>
> <a href="http://comments.gmane.org/gmane.comp.security.ids.oisf.user/1358" target="_blank">http://comments.gmane.org/gmane.comp.security.ids.oisf.user/1358</a><br>
<br>
</div>I don't think so. In irc we recently discussed the topic of log file<br>
rotation. I think Jason Ish might be working on something there.<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
---------------------------------------------<br>
Victor Julien<br>
<a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>
PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
---------------------------------------------<br>
<br>
_______________________________________________<br>
Suricata IDS Devel mailing list: <a href="mailto:oisf-devel@openinfosecfoundation.org">oisf-devel@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Participate: <a href="http://suricata-ids.org/participate/" target="_blank">http://suricata-ids.org/participate/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel</a><br>
Redmine: <a href="https://redmine.openinfosecfoundation.org/" target="_blank">https://redmine.openinfosecfoundation.org/</a><br>
</font></span></blockquote></div><br></div>