[Oisf-devel] Log output - syslog

Martin Holste mcholste at gmail.com
Thu Feb 13 19:25:23 UTC 2014


That's terrific, I'll give that a try.


On Thu, Feb 13, 2014 at 12:40 PM, Victor Julien <victor at inliniac.net> wrote:

> On 02/13/2014 07:38 PM, Martin Holste wrote:
> > Writing to syslog is very important for large deployments with
> > centralized collection as well as saving IOPS that are spent writing to
> > disk unnecessarily. Syslog-NG can read JSON templates, so writing all of
> > these events to something like ELSA (which would be easy in
> > SecurityOnion) would easily enable searching and analytics based on the
> > wealth of data produced by the new logging framework. Dealing with
> > events in flat files adds a lot of complexity versus event streaming
> > using syslog.
>
> Actually, the eve-log (the all json firehose) *does* support syslog:
>
>   # "United" event log in JSON format
>   - eve-log:
>       enabled: no
>       type: file #file|syslog|unix_dgram|unix_stream
>       filename: eve.json
>       # the following are valid when type: syslog above
>       #identity: "suricata"
>       #facility: local5
>       #level: Info ## possible levels: Emergency, Alert, Critical,
>                    ## Error, Warning, Notice, Info, Debug
>       types:
>         - alert
>         - http:
>             extended: yes     # enable this for extended logging
> information
>         - dns
>         - tls:
>             extended: yes     # enable this for extended logging
> information
>         - files:
>             force-magic: no   # force logging magic on all logged files
>             force-md5: no     # force logging of md5 checksums
>         #- drop
>
> So that might be good enough?
>
> Cheers,
> Victor
>
> >
> > On Thu, Feb 13, 2014 at 11:55 AM, Victor Julien <victor at inliniac.net
> > <mailto:victor at inliniac.net>> wrote:
> >
> >     On 02/12/2014 09:47 PM, Gofran, Paul wrote:
> >     > Can the log files (specifically HTTP log) natively log to the
> syslog
> >     > facility?
> >
> >     No.
> >
> >     > I wanted to follow up to see if this is something that is desired
> or
> >     > would be a priority?   Is this something that the project would
> prefer
> >     > to accept as a patch if contributed?  Or are there reasons why this
> >     > hasn't been included?
> >
> >     I think it wouldn't be hard to add, but I don't think it's a big
> >     priority for us. That said, there are some people that ask for it, so
> >     I'd be happy to take a patch.
> >
> >     > I found the following forum where this was brought up awhile ago,
> did
> >     > anything ever come of it?
> >     >
> >     > http://comments.gmane.org/gmane.comp.security.ids.oisf.user/1358
> >
> >     I don't think so. In irc we recently discussed the topic of log file
> >     rotation. I think Jason Ish might be working on something there.
> >
> >     --
> >     ---------------------------------------------
> >     Victor Julien
> >     http://www.inliniac.net/
> >     PGP: http://www.inliniac.net/victorjulien.asc
> >     ---------------------------------------------
> >
> >     _______________________________________________
> >     Suricata IDS Devel mailing list:
> >     oisf-devel at openinfosecfoundation.org
> >     <mailto:oisf-devel at openinfosecfoundation.org>
> >     Site: http://suricata-ids.org | Participate:
> >     http://suricata-ids.org/participate/
> >     List:
> >     https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> >     Redmine: https://redmine.openinfosecfoundation.org/
> >
> >
>
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
> Site: http://suricata-ids.org | Participate:
> http://suricata-ids.org/participate/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> Redmine: https://redmine.openinfosecfoundation.org/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20140213/65c46d5b/attachment-0002.html>


More information about the Oisf-devel mailing list