[Oisf-users] Fwd: Eve JSON vs Normal Logs
Tiago Faria
tiago.faria.backups at gmail.com
Thu Dec 27 10:10:08 UTC 2018
If you’re sending data over to Splunk, you definetely want to use JSON for
logs.
Make sure to install the TA on the Splunk side and apply that sourcetype
(suricata) to your SUF configuration.
TA -
https://splunkbase.splunk.com/app/2760/#/overview
Even though it will appear to work correctly if you don’t, there will be a
few events (out of hundreds) that Splunk will fail to line break.
I’m working on putting this, and other information, on the User Guide.
Hopefully that’ll be done soon and might assist you further.
Hope it helps!
Tiago
On Thu, 27 Dec 2018 at 06:38, David Decker <x.faith at gmail.com> wrote:
>
>
>
> Question: Is there a reason to opt to youse the normal logs vice eve json?
> Data will be going to Splunk. Taking over some work, and trying to
> understand the reasoning.
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20181227/e236c940/attachment.html>
More information about the Oisf-users
mailing list