Exporting/forwarding network traffic logs?

[y0d4a]

Hi,

For compliance purposes, I need to create a backup log of all connections, specifically including:

Timestamp
Source IP/Port
Destination IP/Port

The log should be saved as a .txt file on the filesystem, and then pushed to a backup server.

Is there an easy way to achieve this? I was thinking about using Arkime, but could it also be done with Suricata or another tool?

[y0d4a]

ah, found it /opt/malcolm/zeek-logs/live/logs/ :>

[mmguero]

Sure, that works! Other options might include:

• Arkime sessions API, which is exposed by Malcolm under /arkime/api and can be filtered/paginated as you wish
• The OpenSearch query API which is exposed by Malcolm under /mapi/opensearch
• create a custom logstash output pipeline to forward logs processed by Malcoml to some other destination supported by Logstash

Best of luck

[y0d4a]

Ah yes, the Arkime API is a much better and cleaner option.
Thank you!

if someone need it, here it is:

curl -u 'user:pass' 'https://domain/arkime/api/sessions/csv?date=24&bounding=first&order=firstPacket:asc&length=2000000&fields=firstPacket,source.ip,source.port,destination.ip,destination.port' | awk -F, 'NR==1{print "timestamp,src,dst"; next} {print $1 "," $2 ":" $3 "," $4 ":" $5}' > sessions_last24h.csv