[Oisf-users] Suricata's http-log

[Peter Bates]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello again all

On 29/03/2012 15:14, Victor Julien wrote:
>> I'm trying to avoid just using logrotate to move the file and
>> then restarting Suricata to pick up the change - if at all
>> possible.
> 
> You can use the trick described here: 
> https://redmine.openinfosecfoundation.org/issues/265#note-4

Thanks for the advice - and also Martin's suggestion that syslog
support for http-log might be useful.

I've been running httpry up until recently - and generally manage a
logfile from that of around 700-800Mb an hour, dropping to 200-300Mb
at quiet times.

Just testing with the Suricata http-log I've ended up with a 7Mb
logfile from 1pm-2pm (BST).

Httpry does also log the HTTP responses so you could argue the log
should be double the size - but there seems a big difference here
between the two.

- -- 
Peter Bates
Senior Computer Security Officer    Phone: +44(0)2076792049
Information Services Division	    Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPda91AAoJELhVoVpEMS6RPbwH/1nXjmMEbDzE6CQhGAgfYb6c
ebsrxKam3owvkOL2A/LHGeo4Y0nfjQ622jwZPhUHwEMl0FGNf6L7BNq9g//HOqhi
NKZQFAhYa45J6Fk2DpPAp6KUYb/RLHA0z3OflJtzFn18jAK9QE9POuRMiYSoqo18
XWZoxs3OuVi+UOxuWb97GAOoScsRrC5mQ2EI4LdodC9rjqy0RqJDhPxOVauOss7B
e65jJBxVgCCM2SfnnBoKy4PJR2XO0i3UguU6CGILiKFjb0SVScIzTvpxOelCR7bA
/TXZd/rnfhGHKFAhrx38bnfDgDvjFyQF/GbJkAfX3Cu7aEXWa1L5oA0oepJi868=
=MopT
-----END PGP SIGNATURE-----