search

sematext / logagent-js

Extensible log shipper with input/output plugins, buffering, parsing, data masking, and small memory/CPU footprint
https://sematext.com/logagent
Apache License 2.0
389 stars 79 forks source link

logagent-js unix_stream help #238

Closed p0pebp closed 4 years ago

p0pebp commented 4 years ago

New user first post be kind.

I am trying to figure out if this is the right way to have logagent read a unix_stream. This is what I cam up with, and if anyone can tell me is this right or should i do it different or why I should not do it this way I am all ears/ eyes on monitor. System RaspberyPi4 model B OS: RASPBIAN 10 SDCARD 64GB but gets filled up switching to FIFO sock to prevent many writes to SDCARD

input: tcp-rec: module: input-tcp port: 9303 bindAddress: 0.0.0.0 sourceName: MySockPort returnResult: false port-fwd-to-above-tcp-rec: module: command command: socat UNIX-LISTEN:/var/log/suricata/eve.sock,fork TCP4:localhost:9303 sourceName: Mysock restart: 0

Thanks PPL

otisg commented 4 years ago

I think #176 has the example.

adnanrahic commented 4 years ago

Yeah, that's the example.

Run Logagent with the --unixSocket <path> flag. The path here should be /var/log/suricata/eve.sock as far as I understand Unix sockets. If if you're using a conf file:

input:
  unix-socket-reader:
    path: /var/log/suricata/eve.sock
    maxInputRateMBs: 100 # 100 is default, you can set this to whatever you like

...