[netsa-tools-discuss] super_mediator log output

Gediminas Margis gediminas.margis at gmail.com
Fri Mar 6 01:40:00 EST 2015


Hello,

Yes, I work with ArcSight, but also with ELK, Juniper SA and others.
JSON would be perfect output format.

If the log was consistent in those files I would be able to parse them
of the bat. But when few events are registered at the same time fields
from different events intertwine. That is where I lose the ability to do
any parsing.

On 2015-03-05 11:34 PM, Chris Inacio wrote:
> Gediminas,
>
> I have good news and bad news.  The good news is that we are fairly close to having JSON output fully implemented.  The bad news is that it must still go through our release review process before we can publish the source code and distribute it.
>
> Our guess, from your issue, is that you are using ArcSight.  We also believe that ArcSight can ingest JSON formatted records at this point.  Can you confirm that for us, so that we know JSON would solve your problem?
>
>
> Regards,
> --
> Chris Inacio
> inacio at cert.org
>
>
>
>> On Mar 5, 2015, at 9:37 AM, Gediminas Margis <gediminas.margis at gmail.com> wrote:
>>
>> Hello,
>>
>> You should go with something that all solutions understand: CSV or key=value. Also propper timestamps and preferably one log per line. At the moment I just cant retrieve a single log from those log file.
>>
>> On Mar 5, 2015 3:58 PM, "Chris Inacio" <inacio at cert.org> wrote:
>> Mr. Margis,
>>
>> Can you also let us know which SIEM you are trying to use.  We are considering supporting more output formats, but would like to formats that cover the largest number of solutions.
>>
>>
>> --
>> Chris Inacio
>> inacio at cert.org
>>
>>
>>
>>> On Mar 5, 2015, at 7:42 AM, Gediminas Margis <gediminas.margis at gmail.com> wrote:
>>>
>>> Hello,
>>>
>>> I went through the documentation of super_mediator, but I could not find if it is possible to get a single-line log per "event".
>>>
>>> At the moment everything goes to a separate line. Is it possible to get a single line for a full log per "http" requests including DPI information?
>>>
>>> The goal is to read these logs with SIEM solution. Now separate requests that happen at the same time cannot be extracted with multi-line parsing.
>>>
>>> --
>>> Best Regards,
>>>
>>> Gediminas Margis,
>>> +37068600659
>>>
>>> PGP Key-ID: 0xE6D92FE2FA3AD133
>>> 77BD 9F67 F1CF 72B0 7273 E086 E6D9 2FE2 FA3A D133

-- 
Best Regards,

Gediminas Margis,
+37068600659

PGP Key-ID: 0xE6D92FE2FA3AD133
<http://keyserver1.pgp.com/vkd/DownloadKey.event?keyid=0xE6D92FE2FA3AD133>
77BD 9F67 F1CF 72B0 7273 E086 E6D9 2FE2 FA3A D133
-------------- next part --------------
HTML attachment scrubbed and removed


More information about the netsa-tools-discuss mailing list