Have a problem with my Suricata + ELK stack

Hello, I have this error when I am setting up ELK servers + Suricata .

It looks like u have a permissions problem. What user are u logged in as and what roles/permissions does it have?

simple user,, so you suggest that I should switch to root?

I would check the roles/permissions and either add the needed privs or switch to another user.

Ok,, so where should I check?? Elastic?? logstash??.. where

@Yves_Silvere_Randria welcome to the community.

Before we get to permissions or anything else because it may not be permissions.

Help us understand some basics

Basic number one what is your architecture?

  1. Suricata logs > Filebeat-> Logstash > Elasticsearch

  2. Suricata logs > Filebeat > Elasticsearch

  3. Suricata logs > Logstash > Elasticsearch

Let us know then I will have some additional questions.

My architecture is 1. Suricata logs > Filebeat-> Logstash > Elasticsearch

All of these servers are running in a Debian 10 OS .

Suricata + filebeat in one server

Logstash in another server

Elastc in another

Ok so are you using the suricata filebeat module?

If so there are certain steps / configuration you need for your architecture... Look at this post by me...

It's for ngnix logs but same principles apply.. look at these 2 posts

Ok, I'll try , these commands are still working on an ELK 6.8.0 stack??

"3. now go back into your elasticsearch.yml and comment out (or take out) the elasticsearch output and put in your logstash output."

Is this elasticsearch.yml file the same as in the elastic server?????

Good catch the should be filebeat.yml

6.8 is very old you should upgrade but yes I think this should still all work.

The basic point is if you want to use

Logs -> Filebeat -> Logstash -> Elasticsearch

You need to point filebeat directly at Elasticsearch Initially, then run setup (to load all the Kibana and Elasticsearch assets) then point filebeat to Logstash when you want to ship logs.

Setup only needs to be run Once, unless you add a new Module or when you upgrade all the stack versions.

Sorry for the delay,

In fact , I am following this tutorial : GitHub - robcowart/synesis_lite_suricata: Suricata IDS/IPS log analytics using the Elastic Stack.

And I have the problem on the screenshot above

Hi @Yves_Silvere_Randria

Apologies, but I am not going to be able to help you much with following that guide, as it is not part of our documentation and it is several years old.

I can tell you there is a Suricata Module with Filebeat and I would recommend using that

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.