[Oisf-users] Issues with suricata eve.json datagramm logging?
Jason Ish
lists at ish.cx
Thu May 25 00:48:57 UTC 2017
On 24/05/17 06:35 PM, Cooper F. Nelson wrote:
> Hi Jason,
>
> Thanks so much for your help. Is there a guide anywhere on how to use
> the syslog (vs. datagram) logging? And whether or not there is any
> benefit to do so?
>
There is a recent blog post about using syslog-ng, not sure if it will
fit your use case though:
https://www.balabit.com/blog/collecting-and-parsing-suricata-logs-using-syslog-ng/
But I think your end-goal will determine ultimately whats best for you.
In an environment that generates lots of logs I'd probably opt not to
use unix_sock or unix_dgram right now. If the receiver can't keep up to
the pace of events, it could actually cause Suricata to drop packets.
The next release of Suricata will drop events if the receiver can't keep
up instead of blocking packets.
But if your syslog daemon is syslog-ng, I'd maybe just try using plain
old syslog before bothering with the socket, but I don't really have any
experience with doing that myself.
Jason
More information about the Oisf-users
mailing list