[Oisf-devel] Log output - syslog
Martin Holste
mcholste at gmail.com
Thu Feb 13 19:25:23 UTC 2014
That's terrific, I'll give that a try.
On Thu, Feb 13, 2014 at 12:40 PM, Victor Julien <victor at inliniac.net> wrote:
> On 02/13/2014 07:38 PM, Martin Holste wrote:
> > Writing to syslog is very important for large deployments with
> > centralized collection as well as saving IOPS that are spent writing to
> > disk unnecessarily. Syslog-NG can read JSON templates, so writing all of
> > these events to something like ELSA (which would be easy in
> > SecurityOnion) would easily enable searching and analytics based on the
> > wealth of data produced by the new logging framework. Dealing with
> > events in flat files adds a lot of complexity versus event streaming
> > using syslog.
>
> Actually, the eve-log (the all json firehose) *does* support syslog:
>
> # "United" event log in JSON format
> - eve-log:
> enabled: no
> type: file #file|syslog|unix_dgram|unix_stream
> filename: eve.json
> # the following are valid when type: syslog above
> #identity: "suricata"
> #facility: local5
> #level: Info ## possible levels: Emergency, Alert, Critical,
> ## Error, Warning, Notice, Info, Debug
> types:
> - alert
> - http:
> extended: yes # enable this for extended logging
> information
> - dns
> - tls:
> extended: yes # enable this for extended logging
> information
> - files:
> force-magic: no # force logging magic on all logged files
> force-md5: no # force logging of md5 checksums
> #- drop
>
> So that might be good enough?
>
> Cheers,
> Victor
>
> >
> > On Thu, Feb 13, 2014 at 11:55 AM, Victor Julien <victor at inliniac.net
> > <mailto:victor at inliniac.net>> wrote:
> >
> > On 02/12/2014 09:47 PM, Gofran, Paul wrote:
> > > Can the log files (specifically HTTP log) natively log to the
> syslog
> > > facility?
> >
> > No.
> >
> > > I wanted to follow up to see if this is something that is desired
> or
> > > would be a priority? Is this something that the project would
> prefer
> > > to accept as a patch if contributed? Or are there reasons why this
> > > hasn't been included?
> >
> > I think it wouldn't be hard to add, but I don't think it's a big
> > priority for us. That said, there are some people that ask for it, so
> > I'd be happy to take a patch.
> >
> > > I found the following forum where this was brought up awhile ago,
> did
> > > anything ever come of it?
> > >
> > > http://comments.gmane.org/gmane.comp.security.ids.oisf.user/1358
> >
> > I don't think so. In irc we recently discussed the topic of log file
> > rotation. I think Jason Ish might be working on something there.
> >
> > --
> > ---------------------------------------------
> > Victor Julien
> > http://www.inliniac.net/
> > PGP: http://www.inliniac.net/victorjulien.asc
> > ---------------------------------------------
> >
> > _______________________________________________
> > Suricata IDS Devel mailing list:
> > oisf-devel at openinfosecfoundation.org
> > <mailto:oisf-devel at openinfosecfoundation.org>
> > Site: http://suricata-ids.org | Participate:
> > http://suricata-ids.org/participate/
> > List:
> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> > Redmine: https://redmine.openinfosecfoundation.org/
> >
> >
>
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
> Site: http://suricata-ids.org | Participate:
> http://suricata-ids.org/participate/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> Redmine: https://redmine.openinfosecfoundation.org/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20140213/65c46d5b/attachment-0002.html>
More information about the Oisf-devel
mailing list