[netsa-tools-discuss] super_mediator log output
Chris Inacio
inacio at cert.org
Thu Mar 5 16:34:07 EST 2015
Gediminas,
I have good news and bad news. The good news is that we are fairly close to having JSON output fully implemented. The bad news is that it must still go through our release review process before we can publish the source code and distribute it.
Our guess, from your issue, is that you are using ArcSight. We also believe that ArcSight can ingest JSON formatted records at this point. Can you confirm that for us, so that we know JSON would solve your problem?
Regards,
--
Chris Inacio
inacio at cert.org
> On Mar 5, 2015, at 9:37 AM, Gediminas Margis <gediminas.margis at gmail.com> wrote:
>
> Hello,
>
> You should go with something that all solutions understand: CSV or key=value. Also propper timestamps and preferably one log per line. At the moment I just cant retrieve a single log from those log file.
>
> On Mar 5, 2015 3:58 PM, "Chris Inacio" <inacio at cert.org> wrote:
> Mr. Margis,
>
> Can you also let us know which SIEM you are trying to use. We are considering supporting more output formats, but would like to formats that cover the largest number of solutions.
>
>
> --
> Chris Inacio
> inacio at cert.org
>
>
>
> > On Mar 5, 2015, at 7:42 AM, Gediminas Margis <gediminas.margis at gmail.com> wrote:
> >
> > Hello,
> >
> > I went through the documentation of super_mediator, but I could not find if it is possible to get a single-line log per "event".
> >
> > At the moment everything goes to a separate line. Is it possible to get a single line for a full log per "http" requests including DPI information?
> >
> > The goal is to read these logs with SIEM solution. Now separate requests that happen at the same time cannot be extracted with multi-line parsing.
> >
> > --
> > Best Regards,
> >
> > Gediminas Margis,
> > +37068600659
> >
> > PGP Key-ID: 0xE6D92FE2FA3AD133
> > 77BD 9F67 F1CF 72B0 7273 E086 E6D9 2FE2 FA3A D133
>
More information about the netsa-tools-discuss
mailing list