[Oisf-users] practical use of dns log

[Peter Manev]

>
> Splunk isn't an option for many people for high-volume logs (like DNS)
> as its pricing structure is too expensive.

+1

>
> To be honest, I don't use any of the logging features of suricata other
> than the fast and unified2 alerts.
>
> As mentioned, I think there are better stand-alone solutions on the
> market (like bro and moloch) for doing application layer logging,
> indexing and searching.  Provided you have a powerful enough box you can
> run more than one tool on the same sensor.
>
> *But*, once suricata can output everything in JSON format so it can be
> integrated with logstash/elasticsearch I have a feeling it's going to be
> the ideal all-in-one solution.
>

Agree!

Purely from my user point of view - I feel reluctant on writing (or
using and supporting ) 2,3,4... different logg parsers, so that i can
parse the different styles and formats of the outputs - dns, http,
fast, alert-debug, tls, file , unified2 - and then having different
tools to search and report through those.

This is the whole purpose of the all JSON output capability.
You can use the same parser for any output, since tho format is the
same. Hence making it much easier from time,administrative and support
point of view.

There are many good open source and free tools/applications that
parse,search through and visualize JSON format outputs, one of them is
the Logstash/Kibana/Elasticsearch trio.