Dashboards for Suricata > Filebeat > Logstash Setup

Hi,

I have my Stack setup across two machines. The first with Suricata and filebeat and the other logstash and Kibana/Elasticsearch. tcpdump confirms logs are being sent over and I recently figured out how to import my filebeat index template into kibana using the file export method; however I'm at a lost as to how to view any of my data via the dashboards. The built in Suricata dashboard seems to only be for data sent via the agent therefore everything says no data.

How do I view my data in Kibana that is ingested via Logstash? Is it possible to change the default dashboard to use my filebeat-8.16.0 index recently added? Any help would greatly be appreciated!!!

Hi @elastirroot, Welcome to the community!

A couple of things.

Are you sure you need logstash? Logstsash is great but is not necessarily needed for this? Are you following some other article etc?

No, that is not necessarily correct... but depending on what you did .. .could be confusing...

My Suggestion is to get the simple direct path working first. .

filebeat > elasticsearch

Once that is working, we can show you how to "Pass it through" logstash if needed

To do this, follow the Filebeat Quickstart very carefully and substitute the suricate modules for the nginx module in the

Set the filebeat.yml to point to Kibana and Elasticsearch
Enable the suricata module
run setup filebeat setup -e
run filebeat
Check the data and the dashboards

Once you get everything working, come back, and we can show you how to use logstash in the middle if it is still needed.

I ran into this project through a 'Tuber' and an article as you suspected: GitHub - robcowart/synesis_lite_suricata: Suricata IDS/IPS log analytics using the Elastic Stack... There it suggested the logstash path.

I'll try the filebeat > elastic path as you suggested.

Rob is awesome! but that particular article /repo is 5 Years Old!!! which is a lifetime in tech and as noted

THIS PROJECT HAS BEEN ARCHIVED!

Get the the filebeat > elasticsearch route working and then come back if needed.

Thank you much for the direction. I'm further than ever before. I can go into kibana and find data streaming in via the discovery section using the 'filebeat-*' filter. However, when moving over to dashboards, there is no data although there are no errors anymore (see attached).

I have both the nginx and the suricata modules enabled. All fileset settings pointing to the same /var/log/suricata/eve.json file (<--- is this correct?). I know I'm close but just need the extra insight as to how to get my suricata dashboards populated, the entire reasoning for this adventure. Any help is appreciated.

ElasticDiscover1920×1020 110 KB

Sorry for the multi post, but as a noob, I can only add one image per post. This is the last image showing the Nginx dashboard(s) also show no data. Your help is appreciated.

Nginx1920×1020 77.5 KB

No, that is not correct.

1st, if you do not have the Nginx logs, do not enable that module...

Apologies if I was not clear. I meant to follow the quickstart and use the suricata module instead of ngnix. If you do not have ngnix, disable it.

./filebeat modules disable nginx

I am not sure what state you are in at this point... you may have loaded the suricata logs into the ngnix dataset... I am not sure what you have...

Lets see what you got...

FROM filebeat-*
| WHERE event.dataset == "suricata.eve"

Open one of the docs and past the JSON in here

Then Try to see what you are getting...

FROM filebeat-*
| WHERE event.dataset == "suricata.eve"
| STATS COUNT(*) BY event.category

See what kind of events you have...

FROM filebeat-*
| WHERE event.dataset == "suricata.eve"
| STATS COUNT(*) BY event.kind

Also did you look at the Alerts dashboard...

What kind of suricata data do you think you are loading?

Lets see what you have and see if we can fix... may be tomorrow late here

FYI - I disabled Nginx, enabled Suricata and pointed filebeat to suricata logs.

++
filebeat.inputs:

• type: filestream
  enabled: true
  paths:

  • /var/log/suricata/*.json

  fields:
  event.type: suricata

...
++++
Also provided the following in module for suricata

filebeat.inputs:

• type: filestream
  enabled: true
  paths:

  • /var/log/suricata/*.json

  fields:
  event.type: suricata

plus my auth ssl stuff
...

Unfortunately, nothing is returned from this query, much less any of the drill downs from here.

I'm hoping to show all available data from suricata. I guess my assumption is that unless I filtered something, I should see everything at least to start with.

Again, after configuring all types of ssl settings which work, the elastic stack is confusing to me as to why I can see data in discover but nothing in any of the visualizations. I'm sure Its a me thing. Your direction again is appreciated

I wish I could say what I did, but I'm not sure. At some point I found my suricata not running and restarted it. From there, the dashboards started populating.

SuricataDash1920×1020 107 KB

I'll start looking at the other dashes and see if I can get more meaningful data, but I think I'm good from here. Thank you so much.

Cool... Glad we could help.

If you do not have nginx ... Disable that module, in general you don't want 2 modules or inputs pointing to the same file set.

@elastirroot

Also do not enable the filestream in the filebeat.yml ONLY enable the suricata.yml.

Multiple inputs pointing to the same fileset is not good / not needed

Not sure why you are adding

The modules are selk contained.... Overriding things like event.type can have not good side affects

@elastirroot see above

So recap.. .

Enable the suricata module ... Nothing else

Do not add more filestreams in the filebeat.yml nor extraneous fields unless you know what you are doing... And you know they do not conflict with existing fields ... The dashboards are driven by the correct schema and values