I need to collect suricata logs from a machine. By default suricata has a template in kibana if logs collected with filebeat and suricata filebeat module is installed, dashboards are created automatically. Stuffs are taken care...!
But
I dont have a provision to collect logs via Filebeat due to a special case.
All I can afford is sending logs to a logstash syslog input plugin.
How to apply the suricata default dashboard to interpret the logs collected by suricata automatically to a custom index name.
You have to take care, that logstash transforms the data in the same schema filebeat would, and save it also in the same index. then the dashboard should work
I do understand that we can write to different indexes with different names using logstash no doubt in that. My question is if I'm writing to a index with a different name also. How can I used the default suricata dashboard provided by ELK SIEM to read and populate data from that custom named index. I wonder If we can do some tweakings to achieve this.
Well, you can create a index pattern to make the dashboard use the data from multiple indexes.
For ex: if you indexes named "surcata-es" and "surcata-mine", you can create an index pattern with "surcata-*" in kibana.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.