- Suricata version - 7.0
- Operating system and/or Linux distribution - ubuntu server
- How you installed Suricata - source
I have installed suricata on the ubuntu server & it is up and running fine.
I wanted to know without the second network interface(monitor) can suricata read logs from an log server and trigger alerts using the pre-defined ruleset.
If yes, will it affect real time monitoring.
The basic idea is to see if suricata can work without any monitoring interface by feeding it data/log from other sources.
The only way to feed in data is to use the pcap read mode, so you can run pcaps towards Suricata, see 7. Command Line Options — Suricata 8.0.0-dev documentation with the
-r option. Another alternative could be a dummy interface that Suricata could attach to and forward the traffic there.
But reading log files is not supported. What format do you expect from the log server?
The reason I wanted to use a log server without the interface is in a day we get close to 70 tb traffic data.
A physical server was present earlier with a different IDS solution, so I wanted to check if an alternative solution is present where we can collect all the logs & detect using it.
What type of logs are you talking about? Are those network logs?
With 70TB of traffic you’re talking about a 10Gbit/s or higher link?
Suricata is inspecting network traffic and produces its own logs.