I’m quite new to logging systems, so probably this question is just that I am not understanding the context properly.
I am setting up a lab environment that has a snort sensor and I am trying to understand how to correctly log its data. I understand there are lots of tools (e.g. Sguil and its dependants) that provide a comprehensive solution, however they are starting to become a bit aged. Moreover, I have used Graylog for syslog/netflow capture before and quite like it so I was wondering how much of the same functionality would also be possible using Graylog. One function they provide is a mapping of an event back to the packet that caused the intrusion detection event (and a UI to view the packet).
So, what I dont understand with Graylog is if I get an event (e.g. syslog message from an IDS alerting that an intrusion attempt was detected) which also has a packet capture associated (e.g. stored as a flat file on the IDS) how can this information be managed with Graylog?
For example, it raises these queries:
- Is it feasible to submit a pcap file (or a binary string) to be associated with log item?
- Should the event be tagged with a filename/URI of the capture, then the viewer can manually download the packet capture on demand?
- Only use timestamp of event and the user has to manually search for pcap on IDS?
I’ve looked at How to send Snort IDS alert logs into Graylog, but it only deals with events and not the associated packet captures.