[Oisf-devel] Log output - syslog

Victor Julien victor at inliniac.net
Thu Feb 13 18:40:48 UTC 2014


On 02/13/2014 07:38 PM, Martin Holste wrote:
> Writing to syslog is very important for large deployments with
> centralized collection as well as saving IOPS that are spent writing to
> disk unnecessarily. Syslog-NG can read JSON templates, so writing all of
> these events to something like ELSA (which would be easy in
> SecurityOnion) would easily enable searching and analytics based on the
> wealth of data produced by the new logging framework. Dealing with
> events in flat files adds a lot of complexity versus event streaming
> using syslog.

Actually, the eve-log (the all json firehose) *does* support syslog:

  # "United" event log in JSON format
  - eve-log:
      enabled: no
      type: file #file|syslog|unix_dgram|unix_stream
      filename: eve.json
      # the following are valid when type: syslog above
      #identity: "suricata"
      #facility: local5
      #level: Info ## possible levels: Emergency, Alert, Critical,
                   ## Error, Warning, Notice, Info, Debug
      types:
        - alert
        - http:
            extended: yes     # enable this for extended logging information
        - dns
        - tls:
            extended: yes     # enable this for extended logging information
        - files:
            force-magic: no   # force logging magic on all logged files
            force-md5: no     # force logging of md5 checksums
        #- drop

So that might be good enough?

Cheers,
Victor

> 
> On Thu, Feb 13, 2014 at 11:55 AM, Victor Julien <victor at inliniac.net
> <mailto:victor at inliniac.net>> wrote:
> 
>     On 02/12/2014 09:47 PM, Gofran, Paul wrote:
>     > Can the log files (specifically HTTP log) natively log to the syslog
>     > facility?
> 
>     No.
> 
>     > I wanted to follow up to see if this is something that is desired or
>     > would be a priority?   Is this something that the project would prefer
>     > to accept as a patch if contributed?  Or are there reasons why this
>     > hasn’t been included?
> 
>     I think it wouldn't be hard to add, but I don't think it's a big
>     priority for us. That said, there are some people that ask for it, so
>     I'd be happy to take a patch.
> 
>     > I found the following forum where this was brought up awhile ago, did
>     > anything ever come of it?
>     >
>     > http://comments.gmane.org/gmane.comp.security.ids.oisf.user/1358
> 
>     I don't think so. In irc we recently discussed the topic of log file
>     rotation. I think Jason Ish might be working on something there.
> 
>     --
>     ---------------------------------------------
>     Victor Julien
>     http://www.inliniac.net/
>     PGP: http://www.inliniac.net/victorjulien.asc
>     ---------------------------------------------
> 
>     _______________________________________________
>     Suricata IDS Devel mailing list:
>     oisf-devel at openinfosecfoundation.org
>     <mailto:oisf-devel at openinfosecfoundation.org>
>     Site: http://suricata-ids.org | Participate:
>     http://suricata-ids.org/participate/
>     List:
>     https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>     Redmine: https://redmine.openinfosecfoundation.org/
> 
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------




More information about the Oisf-devel mailing list