I like that idea.. this way dependent on the specific format of the organization, ie: CEE, CEF, etc. they can set up there own interface to whatever SIM they are using. Otherwise I fear we'll be in the mess of supporting "connectors" to different systems.<br>
<br><div class="gmail_quote">On Sun, Feb 12, 2012 at 3:25 PM, Matthew Jonkman <span dir="ltr"><<a href="mailto:jonkman@emergingthreatspro.com">jonkman@emergingthreatspro.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
How about we just define a log format like you can for an apache customlog? Then we only have to solve the problem once....<br>
<br>
Matt<br>
<div><div class="h5"><br>
<br>
On Feb 12, 2012, at 11:54 AM, Peter Manev wrote:<br>
<br>
> On 2/12/2012 1:04 AM, Josh White wrote:<br>
>> That would work, I was originally thinking even an option to append the interface name and have have multiple stats files like stats.log.em1 or the reverse em1.stats.log. However if it was more of a csv format then it would be easier to graph in some cases.<br>
>><br>
>> On Fri, Feb 10, 2012 at 9:20 AM, Victor Julien <<a href="mailto:victor@inliniac.net">victor@inliniac.net</a>> wrote:<br>
>> On 02/10/2012 02:44 AM, Peter Manev wrote:<br>
>> > Hi,<br>
>> ><br>
>> > I don't think this is possible(in suri), you could of course use some<br>
>> > bash/perl/your choice of scripting to achieve that.<br>
>><br>
>> It's indeed not possible right now. I'm a bit torn on it, as I see use<br>
>> for both cases. Ideally we're have it both simultaneously. Maybe we<br>
>> should an easily parseble (csv or something) output option.<br>
>><br>
> Actually I am very fond of the csv availability (in yaml maybe? ) for the different log files output. I agree with Josh - there are plenty of tools that make graphing possible (using csv files) and it would also come in handy for GeoIP visualization.<br>
><br>
><br>
>> Cheers,<br>
>> Victor<br>
>><br>
>> ><br>
>> > Thanks<br>
>> ><br>
>> > On Thu, Feb 9, 2012 at 2:33 AM, Josh White <<a href="mailto:josh@securemind.org">josh@securemind.org</a><br>
>> > <mailto:<a href="mailto:josh@securemind.org">josh@securemind.org</a>>> wrote:<br>
>> ><br>
>> > When I run Suri to monitor multiple interfaces like "suricata -c<br>
>> > /etc/suricata/suricata.yaml -i em1 -i em2 -i em3" the stats.log file<br>
>> > has multiple entries for each stat. "one entry for each interface<br>
>> > being monitored"<br>
>> ><br>
>> > Is there an easy way to consolidate the stats so all the interface<br>
>> > stats are consolidated?<br>
>> ><br>
>> > Josh<br>
>> ><br>
>> > _______________________________________________<br>
>> > Oisf-users mailing list<br>
>> > <a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a><br>
>> > <mailto:<a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a>><br>
>> > <a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
>> ><br>
>> ><br>
>> ><br>
>> ><br>
>> > --<br>
>> > Peter Manev<br>
>> ><br>
>> ><br>
>> > _______________________________________________<br>
>> > Oisf-users mailing list<br>
>> > <a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a><br>
>> > <a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
>><br>
>><br>
>> --<br>
>> ---------------------------------------------<br>
>> Victor Julien<br>
>> <a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>
>> PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
>> ---------------------------------------------<br>
>><br>
>> _______________________________________________<br>
>> Oisf-users mailing list<br>
>> <a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a><br>
>> <a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
>><br>
>><br>
>><br>
>><br>
>> _______________________________________________<br>
>> Oisf-users mailing list<br>
>><br>
>> <a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a><br>
>> <a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
><br>
><br>
> --<br>
> Regards,<br>
> Peter Manev<br>
><br>
> _______________________________________________<br>
> Oisf-users mailing list<br>
> <a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a><br>
> <a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
<br>
<br>
</div></div>----------------------------------------------------<br>
Matt Jonkman<br>
Emerging Threats Pro<br>
Open Information Security Foundation (OISF)<br>
Phone <a href="tel:866-504-2523%20x110" value="+18665042523">866-504-2523 x110</a><br>
<a href="http://www.emergingthreatspro.com" target="_blank">http://www.emergingthreatspro.com</a><br>
<a href="http://www.openinfosecfoundation.org" target="_blank">http://www.openinfosecfoundation.org</a><br>
----------------------------------------------------<br>
<br>
<br>
</blockquote></div><br>