Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
I need to set up a machine that will log all packets traversing a gateway. The gateway is a Cisco router, and I'm mirroring a port over, so getting the packets to the machine isn't the issue. It's the processing and handling that I need advice with.
There are two things I want to do with this set up. The first is to create daily (possibly hourly) pcap style binary files that will rotate on a monthly basis. This is easy to accomplish with daemonlogger. I just tell it to make a new file after x time and to keep y files.
The second thing is to pass this info into an analysis program. I'm looking at using splunk, which will give a ton of power in terms of searching and reporting. The only problem is that I need to feed the data into splunk. I have made a configuration bundle that will ingest the output of snort by directing it into a named pipe. One difficulty is that I wish to log the entire packet, but not really the hex part. So far snort is the only thing I've found that will log text of the packet contents and ignore the hex.
I can use snort to read the pcap files generated by daemonlogger, but the filenames change with every epoch and it needs some sort of buffering. If you start a file going and then have snort read it, snort will eventually hit the EOF and stop even though more stuff is being logged to it. I'd have to get it into a pipe so that snort didn't stop attempting to process it.
So any suggestions on how to get this into something that will be stable and work reliably? I've looked at things like ACID and BASE, but those are mostly for intrusion detection with snort. I'm not doing any filtering or processing....just logging every packet.
One difficulty is that I wish to log the entire packet, but not really the hex part. So far snort is the only thing I've found that will log text of the packet contents and ignore the hex. (..) I'm not doing any filtering or processing....just logging every packet.
No you're not. You want to log packets w/o processing yet you use Snort to extract human readable text from pcaps and still maintain you're "not doing any filtering or processing". How does that match? Maybe explain (reason, requirements, examples and such) what details exactly you're interested in wrt logging.