Home > Uncategorized > A quick post about logs

A quick post about logs

Been working on samhain and yule, and started to regain interest in correlation engines and SEIM.

Why don’t we take our logs from over here and put them in ElasticSearch over there?

But, where do I do the analysis? Here or there? Or both? Or what?

Security “log event watchers”:

Correlation engines:

Transporters:

  • nxlog (transmits CSV, JSON, XML, Key-value pairs, GELF, syslog, SQL, anything you can script or write (like a pipeline))
  • rsyslog (transmits Linux journal, named pipe, stdout, SQL (with special handling for MySQL and Oracle), Elasticsearch, many more to come in versions soon)
  • logstash-forwarder/Lumberjack (transmits via the lumberjack protocol to logstash)
  • gelfino (transmits GELF)
  • other sysloggy stuff

Parsers/Massagers:

Stack 1: Logstash + ( Kibana &&|| Graylog) + elasticsearch:

Stack 2: Lumberjack + ceelog + rsyslog + elasticsearch + kibana:

UIish:

Storeish:

Stack 3:
logstash and solr: http://logstash4solr.lucidworks.com/

Sources:

Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: