[Oisf-users] Suricata Logs

Peter Manev petermanev at gmail.com
Tue Jul 28 08:15:47 UTC 2015


On Mon, Jul 27, 2015 at 8:18 PM, Jeremy MJ <jskier at gmail.com> wrote:
> This comes up a lot. Look into a log manager or SIEM, there are a lot
> out there. Logstash is a free one, but requires a bit of
> configuration. I use splnuk personally and have been very happy with
> it. All logs (split up by host) flow into one index and are divided up
> again by sourcetype (event_type in suricata).
>
> Most logs are in realtime btw.
>
> --
> Jeremy MJ
>
>
> On Mon, Jul 27, 2015 at 12:53 PM, Saxena, Samiksha
> <samiksha.saxena at verizon.com> wrote:
>> Hi,
>>
>> I will have more than 20 Suricata engines, where each suricata engine will
>> generate logs based on rules. I want to collect all the logs at one common
>> place from each suricata engine. How should I achieve this?
>> Also, what is the value of the logs files and how often the logs are
>> generated?
>>
>>

Samishka,

My view is that you need to know very well and scope your requirements
for that particular deployment - before you deploy it :) .
A good approach is to execute a PoC employing the use of different
tools/software/team members to see what fits best your needs and to
get an idea about some of the requirements you will need to cover.

20 Suri sensors - lets say deployed on 4-6 Gbps lines and having all
(I emphasize all - including dns/flow for example) log outputs
available to Suricata enabled - can potentially generate (as an
aggregate) over 1000K events a second (traffic type depended).

As mentioned above - a PoC will give you a better idea about the
HW,transport,tools and a lot more specifics(IO's/disks/events per
second/memory/cpu/network bandwidth/event aggregation/processes/change
management/expected traffic growth considerations/suricata's
configuration specifics/who and from where will access the central
data/what are you going/want to do with that data....etc) that you
need to take into consideration for your production deployment's
architecture/design.....and this is just a start.

Thanks


>> Thanks
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net



-- 
Regards,
Peter Manev



More information about the Oisf-users mailing list