[Oisf-users] Best options to manage http.log file
Martin Holste
mcholste at gmail.com
Tue Nov 29 03:43:04 UTC 2011
> If you want to perform analytics then splunk is an option.
> Alternatively, you could look at a more advanced tool like Martin
> Holste's ELSA:
>
> http://ossectools.blogspot.com/2011/11/elsa-beta-available.html
I've added patterns for parsing Suricata HTTP logs properly into
fields in ELSA, but you'll have to forward them using syslog. This is
really easy with either syslog-ng (using the file() source) or rsyslog
(using $InputFileName). In both cases, set the program to "url" and
they'll parse into all the right fields so you can do searches like
this:
+referer:showthread.php +user_agent:java
and then report on the IP addresses, dates, sites, etc.
More information about the Oisf-users
mailing list