[Oisf-users] Best options to manage http.log file

carlopmart carlopmart at gmail.com
Tue Nov 29 08:47:00 UTC 2011

On Mon, 28 Nov 2011, Martin Holste wrote:

>> If you want to perform analytics then splunk is an option.
>> Alternatively, you could look at a more advanced tool like Martin
>> Holste's ELSA:
>> http://ossectools.blogspot.com/2011/11/elsa-beta-available.html
> I've added patterns for parsing Suricata HTTP logs properly into
> fields in ELSA, but you'll have to forward them using syslog.  This is
> really easy with either syslog-ng (using the file() source) or rsyslog
> (using $InputFileName).  In both cases, set the program to "url" and
> they'll parse into all the right fields so you can do searches like
> this:
> +referer:showthread.php +user_agent:java
> and then report on the IP addresses, dates, sites, etc.

Thanks Paul and Martin. I am evaluating ELSA and Splunk at this moment. 
But reading docs and install script for ELSA it seems to difficult to 
maintain (I'm not worried about time spent on installation, but it is 
important time needed to upgrade, to patch, etc).

CL Martinez
carlopmart {at} gmail {d0t} com

More information about the Oisf-users mailing list