[Oisf-users] Best options to manage http.log file

Paul Halliday paul.halliday at gmail.com
Tue Nov 29 00:15:02 UTC 2011


On Mon, Nov 28, 2011 at 6:57 PM, carlopmart <carlopmart at gmail.com> wrote:
>
> Hi all,
>
>  I have setup two suricata sensors to monitor http and proxy access
> traffic. All traffic is redirected to http.log, but offers a lot of data
> and I am searchig a tool to manage it efficiently.
>
>  What options do you know? a splunk server, using a tool like http_agent
> to store on sguil database??
>

It depends on what you intend of doing with the data. If you are just
looking for added context on an alert by alert basis then http_agent
will be fine. The agent just blobs all of the fields into Sguil's data
table which means you only have an index on the domain. This poo poos
doing anything especially interesting (URI searches for example).

If you want to perform analytics then splunk is an option.
Alternatively, you could look at a more advanced tool like Martin
Holste's ELSA:

http://ossectools.blogspot.com/2011/11/elsa-beta-available.html

> Thanks.
>
> ---
> CL Martinez
> carlopmart {at} gmail {d0t} com
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>



-- 
Paul Halliday
http://www.squertproject.org/



More information about the Oisf-users mailing list