Unifi Ubiquity USG IPS Suricata Filebeat Logging

Dallas_Toth · April 27, 2020, 4:06am

So with some help from multiple sources. On Elastic 7.6.2 and Unifi Controller 5.12.66

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/_Logstash_Kibana_and_Suricata_JSON_output

https://pastebin.com/xASkU5dm
Here is how you install Filebeat on the USG with the Suricata module and what you need to edit in the suricata*.yaml files in order to send your events/alerts to ES.

Unifi has been dragging their feet on getting the logs outside these devices.
Items left to do here is see if the suricata*.yaml files get overwritten and find a way to get Filebeat to run as a service. You couldn't just install filebeat as you see in the youtube because you recompile it for mips64

Dallas_Toth · May 14, 2020, 3:47pm

FYI the firmware updates will wipe out all your changes on the USG and you will need to re input the surcata*.yaml changes as well as redeploy the filebeat mips service.

warkolm · May 14, 2020, 10:49pm

Yeah that's a real PITA for things like USGs. When I set this up a while back, I did find a blog/post/something to script a reinstall process, but I can't find it now sorry

Topic		Replies	Views
Ingesting surricata logs Elasticsearch	13	2388	August 11, 2022
Filebeat suricata Beats beats-module , filebeat	10	1134	June 28, 2022
License question - am I basic or open source? Elasticsearch	7	676	October 29, 2020
How do I adding Suricata events to Elasticsearch SIEM	8	1299	May 7, 2024
Failing to get filebeat with suricata module to work Beats filebeat	8	1694	October 20, 2022

Unifi Ubiquity USG IPS Suricata Filebeat Logging

Related topics