[Oisf-users] Issues with suricata eve.json datagramm logging?

Cooper F. Nelson cnelson at ucsd.edu
Fri May 26 21:01:23 UTC 2017

After some experimenting this appears to be the best solution:

(this has to be done before starting the suricata process)

> # create named pipe for netcat listener
> rm -f /home/suri/eve.json && mkfifo /home/suri/eve.json && chown suri:suri /home/suri/eve.json

> # setup buffered netcat process
> nohup buffer -b 128 -s 64kb < /home/suri/eve.json | nc $LOG_COLLECTOR 515 > /dev/null &

Suricata is configured to append logs, as a file, to
/home/suri/eve.json.  The 'buffer' program reads this into an 8MB ring
buffer and sends it to netcat, so be forwarded to a remote log collector.


On 5/25/2017 10:51 AM, Cooper F. Nelson wrote:
> I saw that article, however it appears to be using the suricata 'file'
> (vs. native syslog) output.  Syslog-ng is then monitoring the log file.
>  I would prefer to avoid any disk I/O if at all possible.

Cooper Nelson
IT Security - Information Technology Services
University of California San Diego
(858) 534-6487 - cnelson at ucsd.edu

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170526/40218b33/attachment-0002.sig>

More information about the Oisf-users mailing list