Shipping Suricata Logs from the Docker Container to Elastic SIEM

Help
1

Shipping Suricata Logs from the Docker Container to Elastic SIEM.

I’ve deployed the suricata docker, but I don’t know how I would go about shipping thoses logs to Elastic SIEM.

2

Which Docker image do you use? It will depend partly on which Docker you used, but the process is much the same.

You’ll likely need to export /var/log/suricata as a volume. For example:

docker run -v /data/suricata/logs:/var/log/suricata ...

this will make /data/suricata/logs map to /var/log/suricata inside the container, so on the host you can now see the logs at /data/suricata/logs, which you can then point Logstash, Filebeat, or whatever at to send the logs somewhere.

3

Using jasonish/suricata:5.0.0

4

Ok, thats my image. The above instructions about exposing the volume should work.

5

Do I need to use the Elastic Filebeat docker container?

https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html

6

There is no requirement that Filebeat be in a container… You could use the standalone distribution. I guess it depends on what you are trying to achieve. Unfortunately we don’t have any Suricata -> Elasticsearch guides… There would also be a few variable on what you are trying to achieve that would tell you if you are better off using Filebeat, or Logstash, etc.

In my opinion getting this all setup with containers, vs just installing a systems will complicate the matters, unless you are already comfortable with Docker volumes, docker-compose, etc. As its all really out of the scope of Suricata.

7

Use Case:

  • Testing SIEM Products (1) Elastic SIEM (2) Azure Sentinel
  • Trying to see the amount of quality data that is generated among each of the SIEM tools.

Elastic SIEM Environment

  1. Blue VM (Victim Machine) - With Suricata
  2. Red VM (Attack Machine) - Created a script that will send different types of attacks every 15 minutes to the Blue VM. This will occur over a period of 2 days.
  • Want the blue machine to send the Suricata data back to the Elastic SIEM

Azure Sentinel Environment

  1. Blue VM (Victim Machine) - With Suricata
  2. Red VM (Attack Machine) - Created a script that will send different types of attacks every 15 minutes to the Blue VM. This will occur over a period of 2 days.
  • Want the blue machine to send the Suricata data back to the Azure Sentinel SIEM
8

I’m not too familar with SIEMs, but I do know that the Elastic SIEM requires Suricata events to be in ECS format. For that you would use the Suricata module for Filebeat.

https://www.elastic.co/guide/en/beats/filebeat/7.9/filebeat-module-suricata.html

Note that we (Suricata) have no involvement with this, and I don’t use it myself.