search

StamusNetworks / SELKS

A Suricata based IDS/IPS/NSM distro
https://www.stamus-networks.com/open-source/#selks
GNU General Public License v3.0
1.48k stars 285 forks source link

Selks 4/5 injecting logs #137

Open migueljtc opened 6 years ago

migueljtc commented 6 years ago

I'm having the need to inject old logs into selks how can I do it?

Example: I monitored 2 weeks traffic from 6 months ago on a trial basis, Now I've upgraded everything (HW/SW) and want to import those logs for evidence and historical purposes.

Is there a way to do this? Are the logs just suricata "/var/log/suricata/eve.json" and "/var/log/suricata.log"

This would be very interesting too in an after incident event, get the +/- "time frame" which the incident happened and then inject it on a selks to analyse possible hints.

Is this possible?

Thansk,

pevma commented 6 years ago

You can try something like :

systemctl stop logstash
rm /var/cache/logstash/sincedbs/since.db
(copy over the new eve.json into/var/log/suricata/)
systemctl start logstash

Then you would need to have a look in the dashboards with the proper time range (also maybe consider stopping and starting suricata service)