Filebeat sends encrypted logs from snort to elastic


Snort logs on Kibana are encrypted as you can see below. Even when I try to run cat /var/log/snort/snort.log.166425312 on snort itself I will get the same output.

The only way to show the output is by running tcpdump -r /var/logs/snort/snort.log.166425312 on Snort server.

Do you have any idea how to decrypt the message on Kibana or at least how to convert the logs into json and then ship it to elastic?

My snort.yml

# Module: snort
# Docs:

- module: snort
    enabled: true

    # Set which input to use between udp (default), tcp or file.
    # var.input: file
    # var.syslog_host: localhost
    # var.syslog_port: 9532

    # Set paths for the log files when file input is used.
    var.paths: ["/var/log/snort/snort.log.*"]

    # Toggle output of non-ECS fields (default true).
    # var.rsa_fields: true

    # Set custom timezone offset.
    # "local" (default) for system timezone.
    # "+02:00" for GMT+02:00
    # var.tz_offset: local

my filebeat.yml


- type: log
  enabled: true
    - /var/log/snort/snort.log.*

  # Glob pattern for configuration loading
  path: ${path.config}/modules.d/*.yml

  index.number_of_shards: 1

  host: "elastic:5601"

  hosts: ["elastic:9200"]
  username: "elastic"
  password: "elastic"

  - add_host_metadata:
      when.not.contains.tags: forwarded
  - add_cloud_metadata: ~
  - add_docker_metadata: ~
  - add_kubernetes_metadata: ~

setup.ilm.overwrite: true

@Marius_Iversen or @andrewkroh do you know if this is supported by this module?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.