[Oisf-users] Best options to manage http.log file
carlopmart
carlopmart at gmail.com
Tue Nov 29 08:47:00 UTC 2011
On Mon, 28 Nov 2011, Martin Holste wrote:
>> If you want to perform analytics then splunk is an option.
>> Alternatively, you could look at a more advanced tool like Martin
>> Holste's ELSA:
>>
>> http://ossectools.blogspot.com/2011/11/elsa-beta-available.html
>
> I've added patterns for parsing Suricata HTTP logs properly into
> fields in ELSA, but you'll have to forward them using syslog. This is
> really easy with either syslog-ng (using the file() source) or rsyslog
> (using $InputFileName). In both cases, set the program to "url" and
> they'll parse into all the right fields so you can do searches like
> this:
> +referer:showthread.php +user_agent:java
> and then report on the IP addresses, dates, sites, etc.
>
Thanks Paul and Martin. I am evaluating ELSA and Splunk at this moment.
But reading docs and install script for ELSA it seems to difficult to
maintain (I'm not worried about time spent on installation, but it is
important time needed to upgrade, to patch, etc).
---
CL Martinez
carlopmart {at} gmail {d0t} com
More information about the Oisf-users
mailing list