Elasticsearch generates lots of Suricate events


(Null Oranje) #1

I've setup an ELK stack to parse Suricate log events, but I'm having a problem with Elasticsearch generating too much data. Every few seconds, it generates several log events such as

{"timestamp":"2015-12-20T04:56:07.588866","event_type":"fileinfo","src_ip":"127.0.0.1","src_port":40901,"dest_ip":"127.0.0.1","dest_port":9200,"proto":"TCP","http":{"url":"/_bulk","hostname":"localhost","http_user_agent":"Manticore 0.4.4"},"fileinfo":{"filename":"/_bulk","magic":"ASCII text, with very long lines","state":"CLOSED","stored":false,"size":3898}}
{"timestamp":"2015-12-20T04:56:07.599335","event_type":"http","src_ip":"127.0.0.1","src_port":40901,"dest_ip":"127.0.0.1","dest_port":9200,"proto":"TCP","http":{"hostname":"localhost","url":"/_bulk","http_user_agent":"Manticore 0.4.4","accept_encoding":"gzip,deflate"}}

I'm not sure how to suppress this information. Thoughts?


(Mark Walkom) #2

The only way to suppress it is to not send it to ES.
You could put LS in the mix and then filter these out.


(system) #3