how can I use ELK on the suricata that I installed on Ubuntu 18.04?
I have followed the link: https://www.google.com/amp/s/logz.io/blog/network-security-monitoring/amp/
but after the kibana is opened, it appears that it cannot define index pattern
so are you sending the logs with filebeats?
You might need to load the ingest pipeline from filebeats (It needs a connection to elasticsearch)
The command is:
filebeat setup --pipelines --modules suricata
thank you Camilo Diaz for ur response, I'll try it.
i'm trying to use filebeat suricata module to send logs to logstash and then to kibana visualitation.
I've tried it on my project,
when i write the command:
filebeat setup --pipelines --modules suricata
appears like this:
Exiting: error loading config file: yaml: line 30: did not find expected '-' indicator
for my filebeat.yml settings as in the picture that I attached
kibana status is green and the user is the same as on my computer,
but i create discover and than index pattern
appeared the same as before like => Couldn't find any Elasticsearch data
sorry for disturbing your time 
If you use modules, then the config should be on /etc/filebeat/modules.d/suricata.yml
From your screenshot I see the config is on filebeat.yml which is not correct.
Maybe start over with your filebeat.yml and have a look at the documentation.
the module I've activated is needed.
After I restarted Filebeat and Kibana, I finally got it. thxyu @Camilo_Diaz
but a new problem arises, is there a setting for the request process?
when the initial kibana can detect within 30 minutes, a warning appears No results match your search criteria.
how about this?
thank you
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.