Hello,
Snort logs on Kibana are encrypted as you can see below. Even when I try to run cat /var/log/snort/snort.log.166425312 on snort itself I will get the same output.
The only way to show the output is by running tcpdump -r /var/logs/snort/snort.log.166425312 on Snort server.
Do you have any idea how to decrypt the message on Kibana or at least how to convert the logs into json and then ship it to elastic?
My snort.yml
# Module: snort
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.16/filebeat-module-snort.html
- module: snort
log:
enabled: true
# Set which input to use between udp (default), tcp or file.
# var.input: file
# var.syslog_host: localhost
# var.syslog_port: 9532
# Set paths for the log files when file input is used.
var.paths: ["/var/log/snort/snort.log.*"]
# Toggle output of non-ECS fields (default true).
# var.rsa_fields: true
# Set custom timezone offset.
# "local" (default) for system timezone.
# "+02:00" for GMT+02:00
# var.tz_offset: local
my filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/snort/snort.log.*
filebeat.config.modules:
# Glob pattern for configuration loading
path: ${path.config}/modules.d/*.yml
setup.template.settings:
index.number_of_shards: 1
setup.kibana:
host: "elastic:5601"
output.elasticsearch:
hosts: ["elastic:9200"]
username: "elastic"
password: "elastic"
processors:
- add_host_metadata:
when.not.contains.tags: forwarded
- add_cloud_metadata: ~
- add_docker_metadata: ~
- add_kubernetes_metadata: ~
setup.ilm.overwrite: true