[prev in list] [next in list] [prev in thread] [next in thread]
List: oisf-devel
Subject: Re: [Oisf-devel] Log output - syslog
From: Martin Holste <mcholste () gmail ! com>
Date: 2014-02-13 19:25:23
Message-ID: CANpnLHg=NjTx=YPL=NO=OkU0i=Ed11rhkSGxRi_4qwT_uF0e-w () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
That's terrific, I'll give that a try.
On Thu, Feb 13, 2014 at 12:40 PM, Victor Julien <victor@inliniac.net> wrote:
> On 02/13/2014 07:38 PM, Martin Holste wrote:
> > Writing to syslog is very important for large deployments with
> > centralized collection as well as saving IOPS that are spent writing to
> > disk unnecessarily. Syslog-NG can read JSON templates, so writing all of
> > these events to something like ELSA (which would be easy in
> > SecurityOnion) would easily enable searching and analytics based on the
> > wealth of data produced by the new logging framework. Dealing with
> > events in flat files adds a lot of complexity versus event streaming
> > using syslog.
>
> Actually, the eve-log (the all json firehose) *does* support syslog:
>
> # "United" event log in JSON format
> - eve-log:
> enabled: no
> type: file #file|syslog|unix_dgram|unix_stream
> filename: eve.json
> # the following are valid when type: syslog above
> #identity: "suricata"
> #facility: local5
> #level: Info ## possible levels: Emergency, Alert, Critical,
> ## Error, Warning, Notice, Info, Debug
> types:
> - alert
> - http:
> extended: yes # enable this for extended logging
> information
> - dns
> - tls:
> extended: yes # enable this for extended logging
> information
> - files:
> force-magic: no # force logging magic on all logged files
> force-md5: no # force logging of md5 checksums
> #- drop
>
> So that might be good enough?
>
> Cheers,
> Victor
>
> >
> > On Thu, Feb 13, 2014 at 11:55 AM, Victor Julien <victor@inliniac.net
> > <mailto:victor@inliniac.net>> wrote:
> >
> > On 02/12/2014 09:47 PM, Gofran, Paul wrote:
> > > Can the log files (specifically HTTP log) natively log to the
> syslog
> > > facility?
> >
> > No.
> >
> > > I wanted to follow up to see if this is something that is desired
> or
> > > would be a priority? Is this something that the project would
> prefer
> > > to accept as a patch if contributed? Or are there reasons why this
> > > hasn't been included?
> >
> > I think it wouldn't be hard to add, but I don't think it's a big
> > priority for us. That said, there are some people that ask for it, so
> > I'd be happy to take a patch.
> >
> > > I found the following forum where this was brought up awhile ago,
> did
> > > anything ever come of it?
> > >
> > > http://comments.gmane.org/gmane.comp.security.ids.oisf.user/1358
> >
> > I don't think so. In irc we recently discussed the topic of log file
> > rotation. I think Jason Ish might be working on something there.
> >
> > --
> > ---------------------------------------------
> > Victor Julien
> > http://www.inliniac.net/
> > PGP: http://www.inliniac.net/victorjulien.asc
> > ---------------------------------------------
> >
> > _______________________________________________
> > Suricata IDS Devel mailing list:
> > oisf-devel@openinfosecfoundation.org
> > <mailto:oisf-devel@openinfosecfoundation.org>
> > Site: http://suricata-ids.org | Participate:
> > http://suricata-ids.org/participate/
> > List:
> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> > Redmine: https://redmine.openinfosecfoundation.org/
> >
> >
>
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Devel mailing list: oisf-devel@openinfosecfoundation.org
> Site: http://suricata-ids.org | Participate:
> http://suricata-ids.org/participate/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> Redmine: https://redmine.openinfosecfoundation.org/
>
[Attachment #5 (text/html)]
<div dir="ltr">That's terrific, I'll give that a try.<div \
class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Feb 13, 2014 at 12:40 \
PM, Victor Julien <span dir="ltr"><<a href="mailto:victor@inliniac.net" \
target="_blank">victor@inliniac.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div>On 02/13/2014 07:38 PM, Martin Holste wrote:<br> > \
Writing to syslog is very important for large deployments with<br> > centralized \
collection as well as saving IOPS that are spent writing to<br> > disk \
unnecessarily. Syslog-NG can read JSON templates, so writing all of<br> > these \
events to something like ELSA (which would be easy in<br> > SecurityOnion) would \
easily enable searching and analytics based on the<br> > wealth of data produced \
by the new logging framework. Dealing with<br> > events in flat files adds a lot \
of complexity versus event streaming<br> > using syslog.<br>
<br>
</div>Actually, the eve-log (the all json firehose) *does* support syslog:<br>
<br>
# "United" event log in JSON format<br>
- eve-log:<br>
enabled: no<br>
type: file #file|syslog|unix_dgram|unix_stream<br>
filename: eve.json<br>
# the following are valid when type: syslog above<br>
#identity: "suricata"<br>
#facility: local5<br>
#level: Info ## possible levels: Emergency, Alert, Critical,<br>
## Error, \
Warning, Notice, Info, Debug<br> types:<br>
- alert<br>
- http:<br>
extended: yes # enable this \
for extended logging information<br> - dns<br>
- tls:<br>
extended: yes # enable this \
for extended logging information<br> - files:<br>
force-magic: no # force logging \
magic on all logged files<br> force-md5: no \
# force logging of md5 checksums<br> #- \
drop<br> <br>
So that might be good enough?<br>
<br>
Cheers,<br>
Victor<br>
<div><br>
><br>
> On Thu, Feb 13, 2014 at 11:55 AM, Victor Julien <<a \
href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a><br> \
</div><div><div>> <mailto:<a href="mailto:victor@inliniac.net" \
target="_blank">victor@inliniac.net</a>>> wrote:<br> ><br>
> On 02/12/2014 09:47 PM, Gofran, Paul wrote:<br>
> > Can the log files (specifically HTTP log) natively log to the \
syslog<br> > > facility?<br>
><br>
> No.<br>
><br>
> > I wanted to follow up to see if this is something that is \
desired or<br> > > would be a priority? Is this something \
that the project would prefer<br> > > to accept as a patch if \
contributed? Or are there reasons why this<br> > > \
hasn’t been included?<br> ><br>
> I think it wouldn't be hard to add, but I don't think \
it's a big<br> > priority for us. That said, there are some \
people that ask for it, so<br> > I'd be happy to take a \
patch.<br> ><br>
> > I found the following forum where this was brought up awhile \
ago, did<br> > > anything ever come of it?<br>
> ><br>
> > <a \
href="http://comments.gmane.org/gmane.comp.security.ids.oisf.user/1358" \
target="_blank">http://comments.gmane.org/gmane.comp.security.ids.oisf.user/1358</a><br>
><br>
> I don't think so. In irc we recently discussed the topic of \
log file<br> > rotation. I think Jason Ish might be working on \
something there.<br> ><br>
> --<br>
> ---------------------------------------------<br>
> Victor Julien<br>
> <a href="http://www.inliniac.net/" \
target="_blank">http://www.inliniac.net/</a><br> > PGP: <a \
href="http://www.inliniac.net/victorjulien.asc" \
target="_blank">http://www.inliniac.net/victorjulien.asc</a><br> > \
---------------------------------------------<br> ><br>
> _______________________________________________<br>
> Suricata IDS Devel mailing list:<br>
> <a href="mailto:oisf-devel@openinfosecfoundation.org" \
target="_blank">oisf-devel@openinfosecfoundation.org</a><br> </div></div>> \
<mailto:<a href="mailto:oisf-devel@openinfosecfoundation.org" \
target="_blank">oisf-devel@openinfosecfoundation.org</a>><br> <div><div>> \
Site: <a href="http://suricata-ids.org" \
target="_blank">http://suricata-ids.org</a> | Participate:<br> > <a \
href="http://suricata-ids.org/participate/" \
target="_blank">http://suricata-ids.org/participate/</a><br> > \
List:<br> > <a \
href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel" \
target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel</a><br>
> Redmine: <a href="https://redmine.openinfosecfoundation.org/" \
target="_blank">https://redmine.openinfosecfoundation.org/</a><br> ><br>
><br>
<br>
<br>
--<br>
---------------------------------------------<br>
Victor Julien<br>
<a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>
PGP: <a href="http://www.inliniac.net/victorjulien.asc" \
target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
---------------------------------------------<br>
<br>
_______________________________________________<br>
Suricata IDS Devel mailing list: <a \
href="mailto:oisf-devel@openinfosecfoundation.org" \
target="_blank">oisf-devel@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | \
Participate: <a href="http://suricata-ids.org/participate/" \
target="_blank">http://suricata-ids.org/participate/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel" \
target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel</a><br>
Redmine: <a href="https://redmine.openinfosecfoundation.org/" \
target="_blank">https://redmine.openinfosecfoundation.org/</a><br> \
</div></div></blockquote></div><br></div></div>
_______________________________________________
Suricata IDS Devel mailing list: oisf-devel@openinfosecfoundation.org
Site: http://suricata-ids.org | Participate: http://suricata-ids.org/participate/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
Redmine: https://redmine.openinfosecfoundation.org/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic