Hi there.
I’m setting up Suricata and ELK 7.0, and ELK doesn’t correctly parse the logs.
I see some basic fields, but I don’t see src/dst port/ip and the alert name. How can I troubleshoot it? I have experience with Splunk, but not with ELK. ELK for me it’s like a grey box.
Have you attempted the parsing with Logstash or the new Suricata integration?
I don’t have any issues with the integration
There are mutliple ways to do things with ELK, and multiple schemas the data could be stored in, so you’ll have to provide more information please.
For starters, how are you shipping events to Elasticsearch? The common ways are Filebeat with the Suricata module, or pure logstash. While these store events in Elasticsearch differently, Kibana should still be able to discover them.