Hi all,
I am trying to filter snort alerts. I need to display the output on kibana dashboard. I have created the filtering script "logstash_snort.conf" in /opt/bitnami/logstash/conf directory. logstash is running fine, however, it seems snort alerts are not filtered.
input {
udp {
type => snort
port => 5044
}
}
filter {
.......}
I am assuming the port is the same as indicated in our filebeat file.
Should I modify logstash.conf ??
Thanks
So have you configured Snort to send UDP packets to port 5044 on the Logstash host?
I am assuming the port is the same as indicated in our filebeat file.
Receiving UDP packets from snort has nothing to do with Filebeat and Filebeat uses TCP.
Should I change the protocol to TCP instead of UDP?
Thanks
You can use either TCP or UDP as far as Logstash is concerned. That's up to you. Just make sure your configuration matches the choice you make on the Snort side.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.