SURICATA LOGS NOT SHOWING UP IN NETWORK EVENTS IN ELASTIC SIEM

Elastic Security Endpoint Security
1

Hi,
I have installed elastic agent, on my host machine. I created a policy named suricata and I have added integrations of endpoint security and suricata. At the host end I have installed centos and have installed suricata there. Now when I enroll the elastic agent and start it then I see the endpoint security and filebeat logs in host events but did not see any thing in the network events in filebeat. To address this I have mannually installed filebeat on host end and enable suricata and started filebeat. Now the index is showing logs in the discover tab but same index cannot be used in the elastic security where we select metrics and logs index.
Can any one tell me what exactly the issue is. It will be a great favor indeed. Thankyou

image
image744×382 26.7 KB

image
image1363×410 57.6 KB

image
image1094×333 55.3 KB

So far the above screeenshots can describe the issue I am facing. Please give me a remedy on this. My purpose is to visualize the suricata events in the network events in the filebeat like in the host events

2

Did you run filebeat setup -e before starting filebeat?

3

yes I have tried

4

Ohh I just reread....

So you tried Elastic Agent suricata integration and then filebeat suricata module?

Probably don't want both ...

When you look at the events in Discover are all the suricata fields there? Has the event.original been all parsed into individual fields?

If not Perhaps your suricata has a customized format...

5

Ok, so you are talking about the version mismatching of suricata integration and actual suricata

6

Yes perhaps.. are the events all parsed correctly when you look in Discover? Do you see all the individual fields that you would of expect? Or is there just the event.original field without all the other separate fields.

You did not answer that.

Also did you make any changes to the Agent or Filebeat config?

Can you post some samples of your suricata logs? (In text not screen shot.. and please format then with the </> button

7

So Far this is the result I am seeing when I go to discover and select filebeat index there
<"timestamp":"2022-01-04T19:31:59.384597+0500","event_type":"stats","stats":{"uptime":542089,"capture":{"kernel_packets":2,"kernel_drops":0,"errors":0},"decoder":{"pkts":2,"bytes":120,"invalid":0,"ipv4":2,"ipv6":0,"ethernet":2,"raw":0,"null":0,"sll":0,"tcp":0,"udp":0,"sctp":0,"icmpv4":0,"icmpv6":0,"ppp":0,"pppoe":0,"geneve":0,"gre":0,"vlan":0,"vlan_qinq":0,"vxlan":0,"ieee8021ah":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":60,"max_pkt_size":60,"erspan":0,"event":{"ipv4":{"pkt_too_small":0,"hlen_too_small":0,"iplen_smaller_than_hlen":0,"trunc_pkt":0,"opt_invalid":0,"opt_invalid_len":0,"opt_malformed":0,"opt_pad_required":2,"opt_eol_required":0,"opt_duplicate":0,"opt_unknown":0,"wrong_ip_version":0,"icmpv6":0,"frag_pkt_too_large":0,"frag_overlap":0,"frag_ignored":0},"icmpv4":{"pkt_too_small":0,"unknown_type":0,"unknown_code":0,"ipv4_trunc_pkt":0,"ipv4_unknown_ver":0},"icmpv6":{"unknown_type":0,"unknown_code":0,"pkt_too_small":0,"ipv6_unknown_version":0,"ipv6_trunc_pkt":0,"mld_message_with_invalid_hl":0,"unassigned_type":0,"experimentation_type":0},"ipv6":{"pkt_too_small":0,"trunc_pkt":0,"trunc_exthdr":0,"exthdr_dupl_fh":0,"exthdr_useless_fh":0,"exthdr_dupl_rh":0,"exthdr_dupl_hh":0,"exthdr_dupl_dh":0,"exthdr_dupl_ah":0,"exthdr_dupl_eh":0,"exthdr_invalid_optlen":0,"wrong_ip_version":0,"exthdr_ah_res_not_null":0,"hopopts_unknown_opt":0,"hopopts_only_padding":0,"dstopts_unknown_opt":0,"dstopts_only_padding":0,"rh_type_0":0,"zero_len_padn":0,"fh_non_zero_reserved_field":0,"data_after_none_header":0,"unknown_next_header":0,"icmpv4":0,"frag_pkt_too_large":0,"frag_overlap":0,"frag_ignored":0,"ipv4_in_ipv6_too_small":0,"ipv4_in_ipv6_wrong_version":0,"ipv6_in_ipv6_too_small":0,"ipv6_in_ipv6_wrong_version":0},"tcp":{"pkt_too_small":0,"hlen_too_small":0,"invalid_optlen":0,"opt_invalid_len":0,"opt_duplicate":0},"udp":{"pkt_too_small":0,"hlen_too_small":0,"hlen_invalid":0},"sll":{"pkt_too_small":0},"ethernet":{"pkt_too_small":0},"ppp":{"pkt_too_small":0,"vju_pkt_too_small":0,"ip4_pkt_too_small":0,"ip6_pkt_too_small":0,"wrong_type":0,"unsup_proto":0},"pppoe":{"pkt_too_small":0,"wrong_code":0,"malformed_tags":0},"gre":{"pkt_too_small":0,"wrong_version":0,"version0_recur":0,"version0_flags":0,"version0_hdr_too_big":0,"version0_malformed_sre_hdr":0,"version1_chksum":0,"version1_route":0,"version1_ssr":0,"version1_recur":0,"version1_flags":0,"version1_no_key":0,"version1_wrong_protocol":0,"version1_malformed_sre_hdr":0,"version1_hdr_too_big":0},"vlan":{"header_too_small":0,"unknown_type":0,"too_many_layers":0},"ieee8021ah":{"header_too_small":0},"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"sctp":{"pkt_too_small":0},"mpls":{"header_too_small":0,"pkt_too_small":0,"bad_label_router_alert":0,"bad_label_implicit_null":0,"bad_label_reserved":0,"unknown_payload_type":0},"geneve":{"unknown_payload_type":0},"erspan":{"header_too_small":0,"unsupported_version":0,"too_many_vlan_layers":0},"dce":{"pkt_too_small":0}},"too_many_layers":0},"flow":{"memcap":0,"tcp":0,"udp":0,"icmpv4":0,"icmpv6":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7474304},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"flow_bypassed":{"local_pkts":0,"local_bytes":0,"local_capture_pkts":0,"local_capture_bytes":0,"closed":0,"pkts":0,"bytes":0},"tcp":{"sessions":0,"ssn_memcap_drop":0,"pseudo":0,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":0,"synack":0,"rst":0,"midstream_pickups":0,"pkt_on_wrong_thread":0,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":0,"overlap":0,"overlap_diff_data":0,"insert_data_normal_fail":0,"insert_data_overlap_fail":0,"insert_list_fail":0,"memuse":2867200,"reassembly_memuse":491520},"detect":{"engines":[{"id":0,"last_reload":"2021-12-29T12:57:25.630866+0500","rules_loaded":23330,"rules_failed":0}],"alert":0},"app_layer":{"flow":{"http":0,"ftp":0,"smtp":0,"tls":0,"ssh":0,"imap":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"nfs_tcp":0,"ntp":0,"ftp-data":0,"tftp":0,"ikev2":0,"krb5_tcp":0,"dhcp":0,"snmp":0,"failed_tcp":0,"dcerpc_udp":0,"dns_udp":0,"nfs_udp":0,"krb5_udp":0,"failed_udp":0},"tx":{"http":0,"ftp":0,"smtp":0,"tls":0,"ssh":0,"imap":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"nfs_tcp":0,"ntp":0,"ftp-data":0,"tftp":0,"ikev2":0,"krb5_tcp":0,"dhcp":0,"snmp":0,"dcerpc_udp":0,"dns_udp":0,"nfs_udp":0,"krb5_udp":0},"expectations":0},"flow_mgr":{"closed_pruned":0,"new_pruned":0,"est_pruned":0,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"http":{"memuse":0,"memcap":0},"ftp":{"memuse":0,"memcap":0},"file_store":{"open_files":0}}}/>

image
image1542×616 62.9 KB

8

With respect to the Elastic Agent issue with the Suricata integration, I recommend to verify that the log path is configured correctly. Then check the logs from the Agent (see View Elastic Agent logs in Fleet | Fleet and Elastic Agent Guide [7.16] | Elastic) to see if there are any issues. You can share them here if you like.

Also to better help, please share the policy applied to Agent so we can see exactly how it's configured. See Elastic Agent policies | Fleet and Elastic Agent Guide [7.16] | Elastic.

9

Thats just Suricata Stats data, its not the actual network logs. The stats data is not shown in the SIEM as its just a metric of what Suricata has done. Have you looked at the eve.json file to see if there is actual data and as Andrew said, is the path to that file correct in the Agent config?

10

The following is the poilicy with suricata logs integration

image
image1246×301 19.2 KB

here is the path metioned in suricata logs integration

image
image930×669 47.1 KB

This is my suricata.yml in filebeat
image

This is the file /var/log/suricata/eve.json

image
image1676×219 28.3 KB

Now please guide me what should I alter that the logs will appear in the network events where I am going wrong Please guide

11

Are u using both the agent and filebeat to read the suricata logs? Are there any errors from either?

12

According to what we have been told the path to the eve.json is correct within the Fleet integration. Can you please check if you have any events by using the Kibana dev console to run this command and post the output:

GET _cat/indices/logs-suricata*?v

And please share the Elastic Agent logs.

13

I have used first only elasticagent and added suricata intergration on it in the elastic security but that seems not working. then I have installed filebeat and suricata on the agent machine and then filebeat index has showed logs of suricata but they are not showing in the elasticsearcuty network events

14

Ok I will check that and will update accordingly

15

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.