[Oisf-devel] Log output - syslog
Victor Julien
victor at inliniac.net
Thu Feb 13 18:40:48 UTC 2014
On 02/13/2014 07:38 PM, Martin Holste wrote:
> Writing to syslog is very important for large deployments with
> centralized collection as well as saving IOPS that are spent writing to
> disk unnecessarily. Syslog-NG can read JSON templates, so writing all of
> these events to something like ELSA (which would be easy in
> SecurityOnion) would easily enable searching and analytics based on the
> wealth of data produced by the new logging framework. Dealing with
> events in flat files adds a lot of complexity versus event streaming
> using syslog.
Actually, the eve-log (the all json firehose) *does* support syslog:
# "United" event log in JSON format
- eve-log:
enabled: no
type: file #file|syslog|unix_dgram|unix_stream
filename: eve.json
# the following are valid when type: syslog above
#identity: "suricata"
#facility: local5
#level: Info ## possible levels: Emergency, Alert, Critical,
## Error, Warning, Notice, Info, Debug
types:
- alert
- http:
extended: yes # enable this for extended logging information
- dns
- tls:
extended: yes # enable this for extended logging information
- files:
force-magic: no # force logging magic on all logged files
force-md5: no # force logging of md5 checksums
#- drop
So that might be good enough?
Cheers,
Victor
>
> On Thu, Feb 13, 2014 at 11:55 AM, Victor Julien <victor at inliniac.net
> <mailto:victor at inliniac.net>> wrote:
>
> On 02/12/2014 09:47 PM, Gofran, Paul wrote:
> > Can the log files (specifically HTTP log) natively log to the syslog
> > facility?
>
> No.
>
> > I wanted to follow up to see if this is something that is desired or
> > would be a priority? Is this something that the project would prefer
> > to accept as a patch if contributed? Or are there reasons why this
> > hasn’t been included?
>
> I think it wouldn't be hard to add, but I don't think it's a big
> priority for us. That said, there are some people that ask for it, so
> I'd be happy to take a patch.
>
> > I found the following forum where this was brought up awhile ago, did
> > anything ever come of it?
> >
> > http://comments.gmane.org/gmane.comp.security.ids.oisf.user/1358
>
> I don't think so. In irc we recently discussed the topic of log file
> rotation. I think Jason Ish might be working on something there.
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Devel mailing list:
> oisf-devel at openinfosecfoundation.org
> <mailto:oisf-devel at openinfosecfoundation.org>
> Site: http://suricata-ids.org | Participate:
> http://suricata-ids.org/participate/
> List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> Redmine: https://redmine.openinfosecfoundation.org/
>
>
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list