Can Someone Help me Configure Suricata Filebeat on elastic cloud?

Wilfyboy · November 21, 2019, 6:29pm

Here are steps I followed to install Filebeats:

"C:\Program Files\Filebeat"
cd "C:\Program Files\Filebeat"
Edited Elastic Cloud section filebeat.yml file to add cloud.id: and cloud.auth:
filebeat.exe modules enable suricata
I don't really know if anything else is need to edit here.
.\filebeat.exe -e test config
There were logs that were being generated. So I guess it was working until there.
.\filebeat.exe -c filebeat.yml -e -d "*"
.\filebeat.exe setup
Start-Service filebeat
Checked if the service was running in Get-Service and it was running.
When I check that data is received from the Filebeat suricata module button I get
" No Data Was Received"

Can someone tell me where I'm making a mistake ?
Why can't I ingest data into elastic cloud ?

andrewkroh · November 21, 2019, 6:56pm

Where is your Suricata eve.log file located at?

You might need to configure the module with this path. On Windows it's looking in c:/program files/suricata/log/eve.json by default. See the docs for details on configuring a path.

github.com

elastic/beats/blob/v7.4.2/x-pack/filebeat/module/suricata/eve/manifest.yml#L10


module_version: 1.0


var:
  - name: paths
    default:
      - /var/log/suricata/eve.json
    os.darwin:
      - /usr/local/var/log/suricata/eve.json
    os.windows:
      - 'c:/program files/suricata/log/eve.json'
  - name: tags
    default: [suricata]
  - name: community_id
    default: true


  # - name: nested_ecs
  #   default: false
ingest_pipeline: ingest/pipeline.yml
input: config/eve.yml

system · December 19, 2019, 6:56pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.