[Snort-openappid] Logging & app_stats_period

Aaron Glenn aaron.glenn at ...8...
Sun Apr 17 11:00:58 EDT 2016


Greetings,

I have two questions, relating to logging as well as identification granularity:

 - Is there a recommended or straightforward way to ship appstats logs
to either syslog or (ideally) convert to JSON directly? I tried
idstools u2json without success. Is anyone using an ELK stack or
similar with openappid?

 - Can someone point me to more information on how the
app_stats_period configuration value changes openappid behavior? (I've
yet to dive into the code; I'm not much of a programmer...) Running
through larger pcaps I see some but not all of the "Facebook" and
"Google" traffic.

Many thanks.

Aaron




More information about the Snort-openappid mailing list