Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenAppID Stats

    IDS/IPS
    1
    1
    1.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      Noebas
      last edited by

      I'm trying to get the openapp id stats to elk.

      Using the u2openappid command to get the data into a logfile. This Logfile can then be send to logstash using syslog-ng.
      The problem i'am facing is that the file has a different name (timestamp) every time. hoping to use a cronjob running someting like this:

      u2openappid /var/log/snort/snort_em02035/app-stats.log.* > /var/syslog-ng/openappid.log

      And then use syslog-ng to tail the file:

      {
      syslog(transport(udp) port(5150) ip(127.0.0.1));
      file(“/var/syslog-ng/openappid.log” program_override(“OpenAppID”) flags(no-parse) follow_freq(1) );
      };

      Anybody been trying the same?
      The result should be easy to parse using logstash so the problem is more getting it there.

      Grok:
      statTime="1428925680",appName="amazon",txBytes="45553",rxBytes="52296"
      statTime="%{WORD:timestamp}",appName="%{WORD:appName}",txBytes="%{INT:app_txBytes}",rxBytes="%{INT:app_rxBytes}"

      1 Reply Last reply Reply Quote 0
      • First post
        Last post