Short and to the point.
This patch (shown below) provided in the latest git master at the moment of this writing, by Eric Leblond, makes the output correlation of log data, generated by Suricata IDPS -> Data Source Integration CIM compliant.
In other words when using the JSON output for logging in Suricata (available in the current git master plus expected to reach maturity in Suricata 2.0) you can use Logstash and Kibana to query, filter and present log data in a way which will follow the CIM.
The patch's info:
commit 7a9efd74e4d88e39c6671f6a0dda28ac931ffe10
Author: Eric Leblond <eric@regit.org>
Date: Thu Jan 30 23:33:45 2014 +0100
json: sync key name with CIM
This patch is synchronizing key name with Common Information Model.
It updates key name following what is proposed in:
http://docs.splunk.com/Documentation/PCI/2.0/DataSource/CommonInformationModelFieldReference
The interest of these modifications is that using the same key name
as other software will provide an easy to correlate and improve
data. For example, geoip setting in logstash can be applied on
all src_ip fields allowing geoip tagging of data.
How? You could try reading the following:
https://home.regit.org/2014/01/a-bit-of-logstash-cooking/
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/_Logstash_Kibana_and_Suricata_JSON_output
No comments:
Post a Comment