[Oisf-users] Issues with suricata eve.json datagramm logging?
Cooper F. Nelson
cnelson at ucsd.edu
Fri May 26 21:01:23 UTC 2017
After some experimenting this appears to be the best solution:
(this has to be done before starting the suricata process)
> # create named pipe for netcat listener
> rm -f /home/suri/eve.json && mkfifo /home/suri/eve.json && chown suri:suri /home/suri/eve.json
> # setup buffered netcat process
> nohup buffer -b 128 -s 64kb < /home/suri/eve.json | nc $LOG_COLLECTOR 515 > /dev/null &
Suricata is configured to append logs, as a file, to
/home/suri/eve.json. The 'buffer' program reads this into an 8MB ring
buffer and sends it to netcat, so be forwarded to a remote log collector.
-Coop
On 5/25/2017 10:51 AM, Cooper F. Nelson wrote:
> I saw that article, however it appears to be using the suricata 'file'
> (vs. native syslog) output. Syslog-ng is then monitoring the log file.
> I would prefer to avoid any disk I/O if at all possible.
--
Cooper Nelson
IT Security - Information Technology Services
University of California San Diego
(858) 534-6487 - cnelson at ucsd.edu
https://cybersecurity.ucsd.edu
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170526/40218b33/attachment-0002.sig>
More information about the Oisf-users
mailing list