[netsa-tools-discuss] super_mediator log output

Chris Inacio inacio at cert.org
Thu Apr 30 16:10:09 EDT 2015 

Gediminas,

I was looking through list archives and noticed I never answered your question:  I apologize for that.  

I really hope to be able to get that code out to the public in the next 2-3 months.  (Much slower than I would like.)  I’ve gotten some amount of verbal approval at this point, but there is still paperwork to do.  Although honestly, the release has been in the works for ~6 months, so we’re hopefully on the tail end of getting the approvals finished.

regards,
--
Chris Inacio
inacio at cert.org



> On Mar 6, 2015, at 3:26 AM, Gediminas Margis <gediminas.margis at gmail.com> wrote:
> 
> And maybe you have some estimates when we should expect this in source code? a week, a month, half a year?
> 
> On 2015-03-06 8:40 AM, Gediminas Margis wrote:
>> Hello,
>> 
>> Yes, I work with ArcSight, but also with ELK, Juniper SA and others. JSON would be perfect output format.
>> 
>> If the log was consistent in those files I would be able to parse them of the bat. But when few events are registered at the same time fields from different events intertwine. That is where I lose the ability to do any parsing.
>> 
>> On 2015-03-05 11:34 PM, Chris Inacio wrote:
>>> Gediminas,
>>> 
>>> I have good news and bad news.  The good news is that we are fairly close to having JSON output fully implemented.  The bad news is that it must still go through our release review process before we can publish the source code and distribute it.
>>> 
>>> Our guess, from your issue, is that you are using ArcSight.  We also believe that ArcSight can ingest JSON formatted records at this point.  Can you confirm that for us, so that we know JSON would solve your problem?
>>> 
>>> 
>>> Regards,
>>> --
>>> Chris Inacio
>>> 
>>> inacio at cert.org
>>> 
>>> 
>>> 
>>> 
>>> 
>>>> On Mar 5, 2015, at 9:37 AM, Gediminas Margis <gediminas.margis at gmail.com>
>>>>  wrote:
>>>> 
>>>> Hello,
>>>> 
>>>> You should go with something that all solutions understand: CSV or key=value. Also propper timestamps and preferably one log per line. At the moment I just cant retrieve a single log from those log file.
>>>> 
>>>> On Mar 5, 2015 3:58 PM, "Chris Inacio" 
>>>> <inacio at cert.org>
>>>>  wrote:
>>>> Mr. Margis,
>>>> 
>>>> Can you also let us know which SIEM you are trying to use.  We are considering supporting more output formats, but would like to formats that cover the largest number of solutions.
>>>> 
>>>> 
>>>> --
>>>> Chris Inacio
>>>> 
>>>> inacio at cert.org
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>>> On Mar 5, 2015, at 7:42 AM, Gediminas Margis <gediminas.margis at gmail.com>
>>>>>  wrote:
>>>>> 
>>>>> Hello,
>>>>> 
>>>>> I went through the documentation of super_mediator, but I could not find if it is possible to get a single-line log per "event".
>>>>> 
>>>>> At the moment everything goes to a separate line. Is it possible to get a single line for a full log per "http" requests including DPI information?
>>>>> 
>>>>> The goal is to read these logs with SIEM solution. Now separate requests that happen at the same time cannot be extracted with multi-line parsing.
>>>>> 
>>>>> --
>>>>> Best Regards,
>>>>> 
>>>>> Gediminas Margis,
>>>>> +37068600659
>>>>> 
>>>>> PGP Key-ID: 0xE6D92FE2FA3AD133
>>>>> 77BD 9F67 F1CF 72B0 7273 E086 E6D9 2FE2 FA3A D133
>>>>> 
>> 
>> -- 
>> Best Regards,
>> 
>> Gediminas Margis,
>> +37068600659
>> 
>> PGP Key-ID: 0xE6D92FE2FA3AD133
>> 77BD 9F67 F1CF 72B0 7273 E086 E6D9 2FE2 FA3A D133
> 
> -- 
> Best Regards,
> 
> Gediminas Margis,
> +37068600659
> 
> PGP Key-ID: 0xE6D92FE2FA3AD133
> 77BD 9F67 F1CF 72B0 7273 E086 E6D9 2FE2 FA3A D133

More information about the netsa-tools-discuss mailing list