Logstash an suricata

lumi · March 23, 2021, 7:11pm

Hello

I am getting Suricata Messages from Qradar which i need so save in a file.
The suricata module on filebeat will add it to the elasticsearch.

i have the following problem:

This is what logstash writes into the file when i use the the normal input and outpout (without filters or anything)

{"@version":"1","host":"x.x.x.x","@timestamp":"2021-03-23T18:20:29.702Z","message":"<174>Mar 23 19:21:05 hostxxx suricata[23719]: {"timestamp":"2021-03-23T19:21:05.688188+0100","flow_id":130516297813980,"in_iface":"eth3","event_type":"alert","src_ip":"x.x.x.x","src_port":xx,"dest_ip":"x.x.x.x","dest_port":x,"proto":"xxx","alert":{"action":"allowed","gid":1,"signature_id":2xxxx,"rev":xxx,"signature":"ET COMPROMISED Known Compromised or Hostile Host Traffic group xx","category":"Misc Attack","severity":2,"metadata":{"affected_product":["Any"],"attack_target":["Any"],"created_at":["20xx_xx_xx"],"deployment":["Perimeter"],"signature_severity":["Major"],"tag":["COMPROMISED"],"updated_at":["2021_xx_xx"]}},"dns":{"query":[{"type":"query","id":xxxx,"rrname":"xxxx.xxxx..xx","rrtype":"A","tx_id":0}]},"app_proto":"xxx","flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":87,"bytes_toclient":0,"start":"2021-03-23T19:21:05.688188+0100"}}\n"}

When I add the codec plugin "plain", then i get the following output into the file:

2021-03-23T18:33:21.265Z xx.x.x.x <174>Mar 23 19:33:57 xxxx suricata[23719]: {"timestamp":"2021-03-23T19:33:57.340639+0100","flow_id":xxxxx719,"in_iface":"eth3","event_type":"alert","src_ip":"xxxxx:XXXx:xxxx....","src_port":xxx,"dest_ip":"xxx:Xxxxx:XXxxx:Xxxxx1","dest_port":xxxx,"proto":"XXX","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":yyyyy,"rev":2,"signature":"XXXXX","category":"XX yyy xxx yy","severity":1,"metadata":{"created_at":["2011_03_21"],"updated_at":["2019_09_28"]}},"dns":{"query":[{"type":"query","id":48604,"rrname":"1y.xxx.xxx.xxx","rrtype":"A","tx_id":0}]},"app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":117,"bytes_toclient":0,"start":"2021-03-23T19:33:57.340639+0100"}}

I need to remove the line before {"timestamp"

This needs to be removed otherwise Filebeat suricata module does not work.

2021-03-23T18:33:21.265Z xx.x.x.x <174>Mar 23 19:33:57 xxxx suricata[23719]:

The text till <174> is automatically attached from logstash

2021-03-23T18:33:21.265Z xx.x.x.x

Has anybody any idea how to solve this problem?
is maybe logstash unable ?

Badger · March 23, 2021, 7:20pm

If you do not specify the message format then the plain codec calls .to_s on the event to generate the output. The toString method of the event concatenates the timestamp, host field and message field.

You could try

codec => plain { format => "%{message}" }

lumi · March 23, 2021, 9:05pm

Hi Badger

Thank you very much for your help !

Now i fixed it with the grok filter

 grok {
        match => {"message" => "%{SYSLOG5424PRI}%{SYSLOGBASE}%{SPACE}%{GREEDYDATA:xxx}"}
   }

output {
 file {
   path => "/var/lib/suricata/suricata.log"
   codec => plain { format => "%{xxx}" }
 }
}

system · April 20, 2021, 9:05pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.