[Oisf-users] [oisf-users] Consolidating Stats File Results from Multiple Interface Monitoring

Josh White josh at securemind.org
Mon Feb 13 19:06:36 UTC 2012


I like that idea.. this way dependent on the specific format of the
organization, ie: CEE, CEF, etc. they can set up there own interface to
whatever SIM they are using. Otherwise I fear we'll be in the mess of
supporting "connectors" to different systems.

On Sun, Feb 12, 2012 at 3:25 PM, Matthew Jonkman <
jonkman at emergingthreatspro.com> wrote:

> How about we just define a log format like you can for an apache
> customlog? Then we only have to solve the problem once....
>
> Matt
>
>
> On Feb 12, 2012, at 11:54 AM, Peter Manev wrote:
>
> > On 2/12/2012 1:04 AM, Josh White wrote:
> >> That would work, I was originally thinking even an option to append the
> interface name and have have multiple stats files like stats.log.em1 or the
> reverse em1.stats.log. However if it was more of a csv format then it would
> be easier to graph in some cases.
> >>
> >> On Fri, Feb 10, 2012 at 9:20 AM, Victor Julien <victor at inliniac.net>
> wrote:
> >> On 02/10/2012 02:44 AM, Peter Manev wrote:
> >> > Hi,
> >> >
> >> > I don't think this is possible(in suri), you could of course use some
> >> > bash/perl/your choice of scripting to achieve that.
> >>
> >> It's indeed not possible right now. I'm a bit torn on it, as I see use
> >> for both cases. Ideally we're have it both simultaneously. Maybe we
> >> should an easily parseble (csv or something) output option.
> >>
> > Actually I am very fond of the csv availability (in yaml maybe? ) for
> the different log files output.  I agree with Josh  - there are plenty of
> tools that make graphing possible (using csv files) and it would also come
> in handy for GeoIP visualization.
> >
> >
> >> Cheers,
> >> Victor
> >>
> >> >
> >> > Thanks
> >> >
> >> > On Thu, Feb 9, 2012 at 2:33 AM, Josh White <josh at securemind.org
> >> > <mailto:josh at securemind.org>> wrote:
> >> >
> >> >     When I run Suri to monitor multiple interfaces like "suricata -c
> >> >     /etc/suricata/suricata.yaml -i em1 -i em2 -i em3" the stats.log
> file
> >> >     has multiple entries for each stat. "one entry for each interface
> >> >     being monitored"
> >> >
> >> >     Is there an easy way to consolidate the stats so all the interface
> >> >     stats are consolidated?
> >> >
> >> >     Josh
> >> >
> >> >     _______________________________________________
> >> >     Oisf-users mailing list
> >> >     Oisf-users at openinfosecfoundation.org
> >> >     <mailto:Oisf-users at openinfosecfoundation.org>
> >> >
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >> >
> >> >
> >> >
> >> >
> >> > --
> >> > Peter Manev
> >> >
> >> >
> >> > _______________________________________________
> >> > Oisf-users mailing list
> >> > Oisf-users at openinfosecfoundation.org
> >> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >>
> >>
> >> --
> >> ---------------------------------------------
> >> Victor Julien
> >> http://www.inliniac.net/
> >> PGP: http://www.inliniac.net/victorjulien.asc
> >> ---------------------------------------------
> >>
> >> _______________________________________________
> >> Oisf-users mailing list
> >> Oisf-users at openinfosecfoundation.org
> >> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >>
> >>
> >>
> >>
> >> _______________________________________________
> >> Oisf-users mailing list
> >>
> >> Oisf-users at openinfosecfoundation.org
> >> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >
> >
> > --
> > Regards,
> > Peter Manev
> >
> > _______________________________________________
> > Oisf-users mailing list
> > Oisf-users at openinfosecfoundation.org
> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>
> ----------------------------------------------------
> Matt Jonkman
> Emerging Threats Pro
> Open Information Security Foundation (OISF)
> Phone 866-504-2523 x110
> http://www.emergingthreatspro.com
> http://www.openinfosecfoundation.org
> ----------------------------------------------------
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120213/ec06b379/attachment-0002.html>


More information about the Oisf-users mailing list