[Oisf-users] http.log Viewer

Peter Manev petermanev at gmail.com
Mon Nov 11 10:09:19 UTC 2013


>>     @Peter where can the scripts be found?
>>
>>
>> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/_Logstash_Kibana_and_Suricata_JSON_output
>> This above is for files JSON output that we currently have.
>>
>> With Suricata 2.0 there will be JSON outputs for
>> dns/http/tls/alert/files - then you could use the same article and just
>> add the output files to your Logstash config. Just 30 days of patience
>> :) - https://redmine.openinfosecfoundation.org/projects/suricata/roadmap
>>
>> However if you insist on parsing http.log with Logstash/Kibana right
>> away with Suricata 1.4.6 , you can - it is just that you have to create
>> a custom regex and feed it to Logstash - very tricky!  And by the time
>> you do it, have it up and running, then after a couple of weeks you
>> wouldn't have had the need to do it and use it, since the http.log in
>> Suricata 2.0 is planned to have the JSON output support which is
>> natively parsed by Logstash.
>
> Peter, you created these regex' in Lux if I remember correctly. Can you
> please share them?
>

Sure thing.
File logstash-http.log attached.

You need to download the file grok-paterns and put it in the
"patterns" directory (under the directory where you start Logstash)
from here -
https://github.com/logstash/logstash/tree/v1.2.2/patterns

More info can be found here -
http://logstash.net/docs/1.2.2/filters/grok

For parsing http.log this is lightly tested, please verify before you
put it in production.
Let me know if any issues.

Thanks

-- 
Regards,
Peter Manev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logstash-http.conf
Type: application/octet-stream
Size: 747 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20131111/f387ac86/attachment-0002.obj>


More information about the Oisf-users mailing list