Output Options / FIFO

[SpudDogg]

Is your feature request related to a problem? Please describe. Sagan can currently only output eve logs to regular file, and only one at a time.

Describe the solution you'd like The ability to output eve to a file, example /var/log/sagan.json while simultaneously writing to another log, perhaps to a ramdisk /tmp/ramdisk/sagan.json.

Also, Sagan cannot output eve to a fifo. There are workarounds where this does work, however Sagan will not keep the fifo open and let data spool when a reader/listener is not running.

Ideally, I'd be able to write eve to disk and a fifo simultaneously!

Describe alternatives you've considered I looked into Suricata, and while it does not specify fifo as an output file type, there are options for unix_stream, unix_dgram, etc.

[beave]

You might want to look at Meer (https://github.com/beave/meer). It will let you write to databases, redis, fifo, etc. at the same time. It's still new software but might help.

[beave]

Meer will also write to a pipe as well.. :)

[beave]

Does this help? Or do you think it would still be better to have multiple outputs?

[SpudDogg]

Does this help? Or do you think it would still be better to have multiple outputs?

Thank you for the replies. I'm not using Meer, instead a combination of ramdisk files as a workaround. I would definitely prefer the ability to have Sagan output directly to a combination of files and fifos. It would be ideal to have the ability to write logs to one file (or fifo) and alerts to a separate file (or fifo).

Thank you again for your work!

[beave]

What type of data are you trying to inject? I'll have to ponder this more to determine if it's worth the time. That is, is the dev time better here than elsewhere. Thank you.