[Oisf-users] Best options to manage http.log file

Martin Holste mcholste at gmail.com
Mon Nov 28 22:43:04 EST 2011


> If you want to perform analytics then splunk is an option.
> Alternatively, you could look at a more advanced tool like Martin
> Holste's ELSA:
>
> http://ossectools.blogspot.com/2011/11/elsa-beta-available.html

I've added patterns for parsing Suricata HTTP logs properly into
fields in ELSA, but you'll have to forward them using syslog.  This is
really easy with either syslog-ng (using the file() source) or rsyslog
(using $InputFileName).  In both cases, set the program to "url" and
they'll parse into all the right fields so you can do searches like
this:
+referer:showthread.php +user_agent:java
and then report on the IP addresses, dates, sites, etc.


More information about the Oisf-users mailing list