[Oisf-users] Suricata's http-log

Peter Manev petermanev at gmail.com
Fri Mar 30 13:12:57 UTC 2012


Hi Peter,

Is there any way that you could compare the two logs by the ways of
scripting/bashing ? - if Suri and httpry are running at the same time
(maybe just 10 min time span)?

thanks

On Fri, Mar 30, 2012 at 3:04 PM, Peter Bates <peter.bates at ucl.ac.uk> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Hello again all
>
> On 29/03/2012 15:14, Victor Julien wrote:
> >> I'm trying to avoid just using logrotate to move the file and
> >> then restarting Suricata to pick up the change - if at all
> >> possible.
> >
> > You can use the trick described here:
> > https://redmine.openinfosecfoundation.org/issues/265#note-4
>
> Thanks for the advice - and also Martin's suggestion that syslog
> support for http-log might be useful.
>
> I've been running httpry up until recently - and generally manage a
> logfile from that of around 700-800Mb an hour, dropping to 200-300Mb
> at quiet times.
>
> Just testing with the Suricata http-log I've ended up with a 7Mb
> logfile from 1pm-2pm (BST).
>
> Httpry does also log the HTTP responses so you could argue the log
> should be double the size - but there seems a big difference here
> between the two.
>
> - --
> Peter Bates
> Senior Computer Security Officer    Phone: +44(0)2076792049
> Information Services Division       Internal Ext: 32049
> University College London
> London WC1E 6BT
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQEcBAEBAgAGBQJPda91AAoJELhVoVpEMS6RPbwH/1nXjmMEbDzE6CQhGAgfYb6c
> ebsrxKam3owvkOL2A/LHGeo4Y0nfjQ622jwZPhUHwEMl0FGNf6L7BNq9g//HOqhi
> NKZQFAhYa45J6Fk2DpPAp6KUYb/RLHA0z3OflJtzFn18jAK9QE9POuRMiYSoqo18
> XWZoxs3OuVi+UOxuWb97GAOoScsRrC5mQ2EI4LdodC9rjqy0RqJDhPxOVauOss7B
> e65jJBxVgCCM2SfnnBoKy4PJR2XO0i3UguU6CGILiKFjb0SVScIzTvpxOelCR7bA
> /TXZd/rnfhGHKFAhrx38bnfDgDvjFyQF/GbJkAfX3Cu7aEXWa1L5oA0oepJi868=
> =MopT
>  -----END PGP SIGNATURE-----
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>



-- 
Regards,
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120330/03a9c050/attachment-0002.html>


More information about the Oisf-users mailing list