Hi!
Does anyone have experience in sending Suricata logs (from an external server) to OSSIM?
input {
file {
path => "/path/to/suricata/log/file"
start_position => "beginning"
sincedb_path => "/dev/null"
}
}
filter {
# Add filters here if needed to parse Suricata logs
}
output {
syslog {
host => "ossim-server-ip"
port => 514
protocol => "udp"
facility => "local6"
severity => "informational"
sourcehost => "%{host}"
message => "%{message}"
}
}