Suricata logs on graylog

Nuno_Santos · December 31, 2020, 9:38pm

Is it possible to send suricata logs to graylog?

o1e9 · January 1, 2021, 2:05pm

The short answer is Yes, crafting appropriate FileBeat configuration for EVE and Alerts works for me at least.

Nuno_Santos · January 1, 2021, 4:46pm

Directly from filebeat to graylog? Without passing to logstash?

o1e9 · January 2, 2021, 11:59am

My humble understanding is that FileBeat is an alternative for LogStash, so yes, FileBeat logs directly to Graylog. Check for FileBeat Input in Graylog. FileBeat has the option to parse JSON for EVE.log and it is possible to custom multilie events like Java logs or Suricata alerts.

defsecprof · January 28, 2021, 12:01pm

Hi,

I also just send fast.log using rsyslog.

Best regards

sscally · February 8, 2021, 11:48pm

Hi Nuno,

We run fluentd on the suricata node with its Graylog Extended Log Format(GELF) plugin and then fluentd is configured to sent to graylog on its configured input settings.

td-agent.conf

####
## Output descriptions:
##
# @see http://docs.fluentd.org/articles/http-to-td
# @see https://docs.fluentd.org/configuration/buffer-section

## Graylog 
<match your.ids.node.tag>
   @type gelf 
   host your.graylog.server (can also be ip address) 
   port port (matches what is configured on graylog input)
   protocol udp or tcp (should match your input type on graylog)
   slow_flush_log_threshold 20.0
  <buffer>
    @type  file 
    path /var/log/td-agent/buffer/suricata-fluentd-buffer 
    chunk_limit_size 256MB 
    total_limit_size 64GB 
    flush_mode interval 
    flush_interval 60s 
    flush_thread_count 10
    overflow_action block 
  </buffer>       
</match>

####
## Source descriptions:
##
## Suricata
## read suricata eve.log continuously
<source>
  @type tail
<parse>
  @type json 
</parse>
  path /var/log/suricata/eve.json 
  pos_file /var/log/td-agent/suricata-eve.log.pos
  tag your-ids-node-tag
</source>

I have a buffer added here just from production use and you will probably have to adjust the memory and space settings to your needs/system. So far this seems to work out pretty well and with the buffer enabled I can update the graylog stack and alerts will queue on the suricata node then get processed when the graylog input availability resumes.

Last note is that the application is named fluentd but the program is td-agent. To install the plugin make sure to use the td-agent ruby updater instead of the system ruby as the system ruby is not recognized.

Steve

Topic		Replies	Views
Suricata logs to syslog server	1	257	January 12, 2024
Shipping logs to database Help	4	1088	March 22, 2021
Suricata generate log files instead of Json Help suricata	1	155	November 22, 2023
Rules and log files	1	296	November 28, 2023
Discussion about Suricata Help rules	3	276	January 17, 2023

Suricata logs on graylog

Related Topics