Hello, i’m using elk with suricata.
I want to understand how suricata is working. My problem is that i got logs with filebeat that are shown in my elastic (kibana) but no alert OwO…
I can provide my suricata.yaml and all other things u need to explain to me how all is working.
Thanks a lot !
First is to check if Suricata is actually alerting or not. This is best done by looking at the raw log files. Assuming you are using a more or less default install, look in the /var/log/suricata/eve.json. You can use grep to extract the alert lines, something like:
grep 'event_type":"alert' /var/log/suricata/eve.json
This should help rule out whether or not its a Suricata issue or Filebeat/ELK issue.
Hello Jason,
thanks for your reply !
there is no alert il any eve.json…
Tell me what can i do, i will follow ur steps ! ^^
thanks in advance !
What version are you running?
How does your suricata.yaml look like?
How do you start Suricata?