Colorized html table view for Snort alert, appid and performance monitor log. The Perf tab cleans out fields with zero values. The alert information generates the Wireshark filter from time data. The appid feature displays real-time data. The appid_listener is https://github.com/snort3/snort3_extra feature. Server reads the files:
/var/log/snort/alert_json.txt
/var/log/snort/appid.json
/var/log/snort/perf_monitor_base.csv
/snort_log_view/client$ npm install
/snort_log_view/server$ npm install
/snort_log_view/server$ export NODE_OPTIONS=--max-old-space-size=8192
/snort_log_view/server$ sudo npm start
/snort_log_view/client$ npm start
perf_monitor = {}
alert_json =
{
file = true,
limit = 100,
fields = 'timestamp iface src_addr src_port dst_addr dst_port proto action msg priority class sid dir dst_ap eth_dst eth_len eth_src eth_type gid icmp_code iface ip_id ip_len mpls pkt_gen pkt_len pkt_num rev rule seconds service src_ap target tcp_ack tcp_flags tcp_len tcp_seq tcp_win tos ttl udp_len vlan'
}
-- only timestamp, priority, rule, proto, src_ap, dst_ap, msg, class and seconds are mandatory
appid_listener =
{
json_logging = true,
file = "/var/log/snort/appid.json",
}
The alert view shows the latest alerts
Appid view is updated with a socket connection.
The search tab has various search and arrangement features
Performance monitor data in table
Find a faster solution than read-last-lines.