I want to user web gui suritaca

Le_Sok · January 22, 2024, 3:06am

Hello team,
I want to view logs Suricata over dashboard is it possible and any recommend some dashboard ?
Best regards,

vjulien · January 22, 2024, 7:21am

I’m personally using Jason’s Evebox https://evebox.org/

Le_Sok · January 22, 2024, 7:41am

Does it is get real time event or not sir ?

ish · January 22, 2024, 6:41pm

Its somewhat real time. Events are added to the database as Logstash/Filebeat/Evebox Agent pick them up. As for the UI, it refreshes every minute or on demand to show you the latest alerts in an aggregate form.

Le_Sok · January 23, 2024, 12:55am

Can U guide me to do this please sir.

Andreas_Herz · February 28, 2024, 8:27pm

You can read into the doc Try EveBox | EveBox

Le_Sok · April 1, 2024, 7:08am

Hello sir,
I just set up Impulse-xdr already in the same server with Suricata but I dont know how to view logs suricata on impulse-xdr can U guide me how to view suricata logs on Impulse-xdr please
Best regards,

bgenev · April 2, 2024, 7:02am

Hi Le,

You need to start with a clean instance, if you already have Suricata running - there will be a conflict.

Just create a new VM and install the manager with these settings in its .conf

AGENT_TYPE=heavy
NIDS_ENABLED=true

Regards

greg · April 2, 2024, 4:16pm

Hello,

This is interesting, what kind of throughput can this GUI implementation
handle and also what kind of NICs? FPGA and PF_RING or AF_PACKET for example?

Greg

greg · April 2, 2024, 4:50pm

One other observation, from what I understand it requires an end user to
deinstall their current Suricata implementation; this is not practical,
some of us have highly customized Suricata implementations, or I am
misunderstanding what has been said so far about it?

Greg

bgenev · April 2, 2024, 6:40pm

Hi,

The EDR agent implements Suricata via the jasonish/suricata image. The agent is installed on a “monitoring VM/host” that is completely decoupled from the rest of the setup, so you can set any amount of CPU/RAM and can have any type of NIC. It will be able to handle the level of throughput that Suricata typically achieves.

Here is the overall flow for clarity:

EDR is installed on monitoring VM
Logs are first stored in /var/impulse/log/suricata and then shipped to a Postgres database on the Impulse Manager using Rsyslog.
On the manager, there is a module that does some basic analytics and prepares the data for display.

The rsyslog + postgres + analytics_module pipeline can handle any amount of log messages.

In terms of setup customization, it comes with a pre-configured suricata.yaml file that sets logging options, interface and HOME_NET value but you can customise anything else.

Regards

greg · April 2, 2024, 7:51pm

Ok interesting, may give it a try, thank you.

Greg

Topic		Replies	Views
GUI Frontend for Windows	3	897	March 4, 2023
Eve.json only shows "event_type":"flow" Help	7	1360	October 22, 2020
Eve.json & fast.log files stopped working randomly Help suricata	1	346	January 2, 2023
Suricata with ELK Stack Help	6	5251	December 17, 2021
How to view logs on evebox Help community	23	436	April 9, 2024

I want to user web gui suritaca

Related Topics