License question - am I basic or open source?

I have installed ELK stack on FreeBSD using pkg manager.
Kibana reports my license as BASIC.
I don't appear to have the suricata module.
Can someone please confirm which license i have?
License

You Are Basic License Suricata is part of the Basic license.

I suspect you are looking for Suricata under the ingest manager? 7.9 is the very first release with the new agent and ingest manager. It Appears Suricata logs did not make this first release. I suspect it will be supported in an upcoming release.

In the mean time you can ingest Suricata logs with the following method.

To ingest Suricata you need install Filebeat with the Suricata module.

Click on the Kibana Home button on top right, Add Security Events , click on Suricata and follow the instructions.

https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-suricata.html

Thank you for confirming i am on Basic license @stephenb

It appears I am on 7.7.1 which seems to be the latest for FreeBSD.

I have installed beats7 package but the suricata module doesn't appear to be present.
modeules

From what i can see and i am an ELK newbie, this module only creates kibana dashboards, is that right?

I have Suricata logs being sent to Redis which is being sent to logstash which is being sent to elasticsearch successfully. I think my next challenge is to implement a template in between logstash and elasticsearch using this as a guide
https://github.com/gregwjacobs/ElasticSuricata

Would you agree this would be a good next step?

Hi @bn1980

Lets see, lots to parse there... :slight_smile:

I am not and expert in any form on FreeBSD so someone else may need to chime in.

1st from what it looks like by the list of modules that is the OSS distribution of filebeat not the Default / Basic distribute of filebeat that is why the Suricata module is missing (a couple other are missing as well)

2nd Modules do more than just set up visualization Modules configure / contol a number of aspects.

  • Where / how to collect the telemetry
  • Mapping (and specifically mapping to Elastic Common Schema we will come back to that which will allow automatic use of the SIEM app)
  • Ingest Pipeline : The parsing and mapping of the data on ingest
  • Visualizations
  • And Any other Capabilities like Anomaly Detection jobs.

3rd Now to the your approach.

I can not really comment on the the repo you posted, other than it looks like it has not been updated in 3 years.

In general if you want to take advantage of the SIEM app and existing visualizations I would map the fields to the Elastic Common Schema (ECS) and then you be able to take advantage of the SIEM apps, Anomaly Jobs etc and perhaps the dashboards... which I think is perhaps a better long term approach.

There are 2 meta approach 1 try to ingest the data into the filebeat Index or create your own index and mappings. You can add your own index to the SIEM settings so that is a fine approach.

I would get a copy of the Basic filebeat distributed and run setup with the Suricata module. If you can not find the Basic FreeBSD just load it on another OS and point it to your cluster and run setup it only needs to be run once. OR if you are putting this in a non filebeat index you will just need to create your own mapping and parsing logic. (you wont get the dashboards / viz based on filebeat for free you will need to re-create with your own index).

Then I would follow these instruction about mapping the fields to ECS.
https://www.elastic.co/guide/en/security/current/siem-field-reference.html

Not every field needs to be mapped
Here are the list of Suricata specific fields
https://www.elastic.co/guide/en/beats/filebeat/7.7/exported-fields-suricata.html

I think this approach (mapping to ECS etc) will perhaps put you on a longer term path.

Hope that helps a bit.

1 Like

Also if you have Security Analytics questions I would post the in that category, with this subject title and category here I don't think you'll get many responses