I have a successful installation of suricata but I am unable to send logs from suricata to filebeat
Have you tried the Suricata filebeat module? Last I tried it, probably a couple months ago it worked fine.
Yes I have enabled the suricata module and then I had added filesets in suricata.yml in the modules.d and then restarted filebeat still not able to recieve any data from suricata
Here’s my modules.d/suricata.yml
, not that I use the threaded
eve option for Suricata, so I changed the path:
# Module: suricata
# Docs: https://www.elastic.co/guide/en/beats/filebeat/main/filebeat-module-suricata.html
- module: suricata
# All logs
eve:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
var.paths: ["/var/log/suricata/eve.*.json"]
Otherwise, I’m not much help. This just works for me. I have found it difficult in the past with Filebeat to figure out just what is wrong… Is it not reading the files? Is it not connecting/authenticating to Elasticsearch? So I disable xpack security at the Elasticsearch server side. Of course, not ideal, but simplifies things a little.