have anyone made or heard of a snort plugin for logstash
i found this and will try it out sometime next week but if anyone have succeded in getting snort alerts parsed and into ELK I would really like to hear about how they went about it
I have a security onion setup with snort and a feed from emergintthreats to generate alerts - i would like to add this to the mix of my current firewall log ELK stack.
ps any tentative release date on filebeat?
I am currently working on a new Beat (maybe called UnifiedBeat) to ship alerts from snort's unified2 files to ElasticSearch ... but I am just beginning and plan to start with FileBeat as a starting point (even though unified2 files are binary and not line delimited like syslogs).
Previously, I open sourced a python app on github called uni2espy. It uses Jason Ish's IdsTools to tail/read/parse snort's unified2 files and index the alerts into ElasticSearch.
Both should also work with Suricata which can create unified2 files.
For my usage I will prefer the Golang Beat version as it's easier to deploy and so on. But we have been using Uni2EsPy for over two years (it was only open sourced for a year now).
Hey @cleesmith, Thank you for your UnifiedBeat contribution.
Any chance this is working on ELK (v5.1.2)? I am currently using Filebeat and either plain log or json files from securityonion boxen. Would love to get the unified2 logs from both snort and suricata instead. Thinking about building it out with UnifiedBeat, but figured I ask if this has been done before.