I want to have a suricata machine sniffing traffic from two interfaces (WAN and LAN). Of course, all of the logs from flows and alerts will be together on the same files. The objective is to send logs to an external ELK stack. There is any change to separate the logs generated by suricata?
Thanks!
Events will have the “in_iface” which records the interface. Note that “stats” records won’t have this though.
Something to consider is if you want the same HOME_NET for each interfaces. In some cases, using multiple Suricata instances is simpler, but of course can double the resources required.
So i can have multiple Suricata instances on the same machine?
Yeah, the main thing to watch out for is the log directory. You’ll want each instance to use its own log directory. I guess default packaging setups won’t work for you either, as the systemd stuff is only single instance aware, so it is more work, but possible. Its generally the way I’ve handled multiple interfaces before, as I usually want a different config on each.
Great! So for the log shipment i guess the idea is pretty the same… Having two filebeat instances sending multiple suricata logs to the same ELK
Filebeat and Logstash can both process multiple log files. So you should be able to get by with a single filebeat instance.
Oh yeah. You are right.
You guys are awesome! Many thanks!