Have a problem with my Suricata + ELK stack

Yves_Silvere_Randria · August 13, 2021, 1:31pm

Hello, I have this error when I am setting up ELK servers + Suricata .

legoguy1000 · August 13, 2021, 2:54pm

It looks like u have a permissions problem. What user are u logged in as and what roles/permissions does it have?

Yves_Silvere_Randria · August 13, 2021, 5:06pm

simple user,, so you suggest that I should switch to root?

legoguy1000 · August 13, 2021, 10:43pm

I would check the roles/permissions and either add the needed privs or switch to another user.

Yves_Silvere_Randria · August 16, 2021, 5:29am

Ok,, so where should I check?? Elastic?? logstash??.. where

stephenb · August 16, 2021, 5:59am

@Yves_Silvere_Randria welcome to the community.

Before we get to permissions or anything else because it may not be permissions.

Help us understand some basics

Basic number one what is your architecture?

Suricata logs > Filebeat-> Logstash > Elasticsearch
Suricata logs > Filebeat > Elasticsearch
Suricata logs > Logstash > Elasticsearch

Let us know then I will have some additional questions.

Yves_Silvere_Randria · August 16, 2021, 6:08am

My architecture is 1. Suricata logs > Filebeat-> Logstash > Elasticsearch

All of these servers are running in a Debian 10 OS .

Suricata + filebeat in one server

Logstash in another server

Elastc in another

stephenb · August 16, 2021, 6:16am

Ok so are you using the suricata filebeat module?

If so there are certain steps / configuration you need for your architecture... Look at this post by me...

It's for ngnix logs but same principles apply.. look at these 2 posts

Yves_Silvere_Randria · August 16, 2021, 6:28am

Ok, I'll try , these commands are still working on an ELK 6.8.0 stack??

Yves_Silvere_Randria · August 16, 2021, 6:41am

"3. now go back into your elasticsearch.yml and comment out (or take out) the elasticsearch output and put in your logstash output."

Is this elasticsearch.yml file the same as in the elastic server?????

stephenb · August 16, 2021, 1:45pm

Good catch the should be filebeat.yml

6.8 is very old you should upgrade but yes I think this should still all work.

The basic point is if you want to use

Logs -> Filebeat -> Logstash -> Elasticsearch

You need to point filebeat directly at Elasticsearch Initially, then run setup (to load all the Kibana and Elasticsearch assets) then point filebeat to Logstash when you want to ship logs.

Setup only needs to be run Once, unless you add a new Module or when you upgrade all the stack versions.

Yves_Silvere_Randria · August 24, 2021, 6:19am

Sorry for the delay,

In fact , I am following this tutorial : GitHub - robcowart/synesis_lite_suricata: Suricata IDS/IPS log analytics using the Elastic Stack.

And I have the problem on the screenshot above

stephenb · August 24, 2021, 1:50pm

Hi @Yves_Silvere_Randria

Apologies, but I am not going to be able to help you much with following that guide, as it is not part of our documentation and it is several years old.

I can tell you there is a Suricata Module with Filebeat and I would recommend using that

system · September 21, 2021, 3:51pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.