<html><body><div style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000"><div>Sagan has a very new output plugin for EVE Alert format. </div><div><br data-mce-bogus="1"></div><div>Yes, You can use unified2 to get the data into a MySQL/PostgreSQL/whatever database to do correlation between Suricata & Sagan data.   Sagan doesn't have "flow ids" like Suricata,  but you should be able to correlated on source/destination/ports/etc.</div><div><br></div><hr id="zwchr" data-marker="__DIVIDER__"><div data-marker="__HEADERS__"><b>From: </b>"Alexis Fredes Hadad" <amfh2408@gmail.com><br><b>To: </b>oisf-users@lists.openinfosecfoundation.org<br><b>Sent: </b>Monday, March 20, 2017 4:14:56 PM<br><b>Subject: </b>[Oisf-users] Suricata with Sagan<br></div><br><div data-marker="__QUOTED_TEXT__"><div dir="ltr"><div>Hello!<br><br>I am trying to correlate Suricata's output logs events with Sagan. I already found that I could take Suricata's unified2 output and correlate this with Sagan as an input. Am I right? Thanks<br><br></div>Alee<br></div><div id="DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2"><br> <table style="border-top:1px solid #d3d4de">
        <tbody><tr>
      <td style="width:55px;padding-top:18px"><a href="https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail" target="_blank"><img width="46" height="29" style="width: 46px; height: 29px;" src="https://ipmcdn.avast.com/images/icons/icon-envelope-tick-round-orange-animated-no-repeat-v1.gif"></a></td>
                <td style="width:470px;padding-top:17px;color:#41424e;font-size:13px;font-family:Arial,Helvetica,sans-serif;line-height:18px">Libre de virus. <a href="https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail" target="_blank" style="color:#4453ea">www.avast.com</a>               </td>
        </tr>
</tbody></table>
<a href="#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2"></a></div>
<br>_______________________________________________<br>Suricata IDS Users mailing list: oisf-users@openinfosecfoundation.org<br>Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/<br>List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users<br></div></div></body></html>