Hi John, Let me explain a bit more. First I suggest you look into redBorder.net site. Not all is there but you will get the idea
In essence, we are building an IT management platform around apache kafka service bus We already have a Barnyard2 kafka plugin to support Snort (and Suricata) and a basic hack on top of nprobe (not public yet, but soon, but not really well done) So at this stage we support IDS/IPS and Netflow >From there we will continue to build new bridges into kafka (mainly syslog and SNMP) At the same time we are building a real time intelligence, built of course around Kafka, in order to: * Enrich data with things like geo location or reputation * Enable some kind of automatic intelligence based on outlier detection, data clustering, forecasting, etc * Implement a heuristic (rule) based correlation engine (filtering, relations, time windows,...) The advantage of doing all this in kafka is when you have the bridge ready you can process whatever it comes Once the IDS + Netflow version is ready (currently in private RC testing) we will start to work on the intelligence elements, and might be able to start with the logging one too Regards Jaime Nebrera - ENEO Tecnología Sent with mobile, sorry for typos El 31/12/2013 19:08, "John Zhang" <[email protected]> escribió: > Hi Luca, > > Let me explain the architecture of my SIEM: > > Logstash + elasticsearch > > Logstash: Log shiper, log parsing and conversion > elasticsearch: log index and search engine > > Its architecture is like the drawing in this page > http://logstash.net/docs/1.3.2/tutorials/getting-started-centralized > > Since Logstash supports lots of input and output, so it needn't special > format for the feed log, of course, json is good option. > > What I want is : I can feed The ntopng data into Logstash in near real > time, some delay is also fine. > > Thanks! > > BTW, Happy New Year! > > Best regards, > > John > > > 2013/12/31 Luca Deri <[email protected]> > > > > John, > > let me ask another question instead. What format do you need in your > SIEM? Please make an example > > Regards Luca > > On 31 Dec 2013, at 07:55, John Zhang <[email protected]> wrote: > > > > Hi everyone, > > > > My SIEM is Logstash + elasticsearch, and I want to add the data of > ntopng to my SIEM. So my big problem is: How I export data of ntopng into > Logstash? > > > > Any suggestion, comment, or reference will be highly appreciate! > > > > Thanks! > > > > Best regards, > > > > John > > _______________________________________________ > > Ntop-misc mailing list > > [email protected] > > http://listgateway.unipi.it/mailman/listinfo/ntop-misc > > > > > > _______________________________________________ > > Ntop-misc mailing list > > [email protected] > > http://listgateway.unipi.it/mailman/listinfo/ntop-misc > > > > > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc > >
_______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
