[Oisf-users] practical use of dns log
Peter Manev
petermanev at gmail.com
Wed Nov 27 08:52:22 UTC 2013
On Tue, Nov 26, 2013 at 10:53 PM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> You might want to look into the logstash and kibana projects. Logstash
> can be used with a program called 'grok' to insert arbitrary data into
> an elasticsearch database.
>
> You can also capture/index DNS traffic off of the wire via the 'moloch'
> project. See: https://github.com/aol/moloch
>
> - -Coop
>
> On 11/26/2013 12:49 AM, Christophe Vandeplas wrote:
>> Hi list,
>>
>>
>> In the past I've been using another tool to do DNS logging, and now
>> I'd like to use Suricata for this. The format of the file is
>> completely different, and also a part of the interpretation (Suricata
>> is a LOT more verbose and complete)
>>
>> DNS logging of Suricata is mulitiple lines per DNS request (and
>> response). So searching for things require multiple greps and
>> filtering out duplicate ids.
>>
>> I'm wondering how others use this DNS logging.
>> All stories (on or off-list) and practical use-cases are welcome.
>> I'll do my best to document these on the wiki so that others can
>> benefit from this info.
>>
>> As far as I understand there seem to be plans to transform the logging
>> into json, is there already an idea about when that's to be expected?
>>
>>
Some general info and "how to" guides here:
https://home.regit.org/2013/10/logstash-and-suricata-for-the-old-guys/
and here:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/_Logstash_Kibana_and_Suricata_JSON_output
All JSON output capability is planned for 2.0:
http,dns,alert,tls alongside with files-json.
Currently I am writing an article/tutorial on how to use the all json
output with Kibana,Elasticsearch and Logstash.
Thanks
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list