[Oisf-users] Indexing alert packet contents?
Matt
matt at somedamn.com
Wed Mar 26 20:02:06 UTC 2014
I currently syslog alerts to a central server for storage. To store
packet contents, I write alert-debug to a unix socket on the sensor and
read it with a perl script that does some filtering, writes the alerts
to disk, and manages log rotation. I'd really like to use this new
elasticsearch fanciness to get indexed searches of packet contents with
a pretty Kibana interface, but I don't see an easy way to do it. It
seems like it would be a no-brainer if the new eve format stored packet
contents, but that doesn't appear to be the case.
Does anyone here have a good solution for this? Maybe write a unified2
parser for logstash? Or does it make sense to put in a feature request
for eve to be able to output packets in the alert messages?
Matt
More information about the Oisf-users
mailing list