Hello,
Ok,
I tried use logstash to received (SYSLOG) ,after my output save /var/log.
Now I used filebeat to read the file and output to elastic...works.
But the module suricata don't work.
FILE: /etc/filebeat/modules.d/suricata.yml
- module: suricata
eve:
enabled: true
Filbebeat.yml
filebeat.inputs:
- type: log
# Change to true to enable this input configuration.
enabled: true
# Paths that should be crawled and fetched. Glob based paths.
paths:
- /var/log/suricata/suricata.json
json.keys_under_root: true
json.overwrite_keys: true
fields:
application: suricata
# ============================== Filebeat modules ==============================
filebeat.config.modules:
# Glob pattern for configuration loading
path: ${path.config}/modules.d/*.yml
# Set to true to enable config reloading
reload.enabled: false
# Period on which files under path should be checked for changes
#reload.period: 10s
# ======================= Elasticsearch template setting =======================
setup.template.settings:
index.number_of_shards: 1
#index.codec: best_compression
#_source.enabled: false
setup.kibana:
host: "192.168.0.1:5601"
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["localhost:9200"]
This is the log i received in my ELK, FORMAT JSON, but the dashbord kibana [filebeat] suricata don't work. Show me the message ( No result Found )
```
{
"_index": "filebeat-7.9.1-2020.09.21-000001",
"_type": "_doc",
"_id": "-",
"_version": 1,
"_score": null,
"_source": {
"@timestamp": "2020-09-22T15:15:15.698Z",
"src_ip": "192.168.10.5",
"ecs": {
"version": "1.5.0"
},
"log": {
"offset": -
"file": {
"path": "/var/log/suricata/suricata.json"
}
},
"dest_ip": "192.168.10.6",
"flow_id": 20000000000,
"in_iface": "ix1",
"alert": {
"category": "Attempted User Privilege Gain",
"severity": 1,
"metadata": {
"updated_at": [
"2013_01_04"
],
"created_at": [
"2013_01_04"
]
},
"action": "allowed",
"gid": 1,
"signature_id": 2016150,
"rev": 2,
"signature": "ET INFO Session Traversal Utilities for NAT (STUN Binding Response)"
},
"event_type": "alert",
"input": {
"type": "log"
},
"fields": {
"application": "suricata"
},
"src_port": 3478,
"flow": {
"bytes_toserver": 12785,
"bytes_toclient": 0,
"start": "2020-09-22T12:09:38.250541-0300",
"pkts_toserver": 91,
"pkts_toclient": 0
},
"timestamp": "2020-09-22T12:14:39.520925-0300",
"host": {
"name": "192.168.0.1"
},
"agent": {
"version": "7.9.1",
"hostname": "192.168.0.1",
"ephemeral_id": "-",
"id": "-",
"name": "192.168.0.1",
"type": "filebeat"
},
"proto": "UDP",
"app_proto": "failed",
"dest_port": 50020
},
"fields": {
"@timestamp": [
"2020-09-22T15:15:15.698Z"
],
"suricata.eve.timestamp": [
"2020-09-22T15:15:15.698Z"
]
},
"sort": [
1400556600000
]
}
```