Hey guys,
OVERVIEW
I managed to set up ElasticStack on my Ubuntu VM (my host is Windows). I installed on my host Sysmon and succesfully connected it with winlogbeat. I can now see in Kibana UI Winlogbeat logs - this is awesome. However, now I want to expand my ElasticStack to get closer to my goal - have an open source SIEM working.
I want to add Suricata / Snort / Bro as my data sources. But I tried installing Bro with guides I found here:
BRO with ELK
and I was not succesful, I could not see any Bro logs although in Kibana I could find logstash index pattern, but in my 'Discover' tab, there was still only Sysmon logs, even if I switched to different index.
Then I went to try and install Suricata with the help of following guide:
Suricata with ELK
I seem to get the eve.json file populated with logs, but I cannot display them in Kibana. I dont want to install one of those templates, because I already have some Dashboards configured for my Sysmon and don't want to lose that.
QUESTION
Since I do not have any error output and the question 'What is wrong?' would be probably too general to ask. I am asking for a validated URL to a video/tutorial/blog, where I can get step-by-step instruction on how to add Suricata / Snort / Bro to my existing ElasticStack with my Winlogbeat running already.
Any suggestion would be greatly appreciated.
Thanks.