Suricata - multiple sensors

Hello Suricata community,

Wanted to ask if someone knows is there a possibility to have one “central” Suricata server in data center and multiple “sensors” all around the network to send “findings” to one “central” Suricata server?

Could not find anything in documentation. :frowning:

Tnx in advance

Vuk

It seems what you are asking for is a central repository for logs/alerts, normally this would be implemented via a logshipper deployed in each suricata host.

The logshipper will forward the logs to ElasticSearch/SIEM/Analytical tools.

1 Like

Hi,

There are several ways, perhaps the simplest would be to install wazuh and send the alerts of each sensor to the wazuh server. For example, on each host/sensor, in the ossec.conf configuration:

  <localfile>
    <location>C:/ids/log/eve.json</location>
    <log_format>json</log_format>
  </localfile>

o

  <localfile>
    <location>/var/log/suricata/eve.json</location>
    <log_format>json</log_format>
  </localfile>

.

1 Like

Depending on the physical layout of the datacenter and the networking equipment available you could try to get all network traffic forwarded to your single suricata machine.

Hi,

There are client/server python tools that send the capture of each host to a server in pcap format. On the server, you just have to run:

tail -f /tmp/collected_sensors.pcap | suricata -v -c /etc/suricata/suricata.yaml -r /dev/stdin …

1 Like

No, I just thought there is maybe a way to have, lets call it a primary Suricata server and bunch of sensors on the network that would send alerts/logs to the primary one and then send it to for example wazuh. But ok, if that is not by design, I guess I will install multiple suricatas in container over the network and send everything to Wazuh. tnx for the help

1 Like

hello, I am doing exactly the same thing with one server, Suricata sends everything to wazuh server.
I just thought there is maybe something that I missed in the doc. I thought maybe there is a possibility to have one “primary” Suricata server and some “secondary” server on other side of network and it can send all logs/alerts to primary. I guess it is not by design.
Why I hoped that it maybe can be done, I wanted to pay for commercial ruleset on only one server, but in our case, “data center” resides in multiple physical locations, so I would need at least 5 sensors, which means 5 times the ruleset.
Anyways, tnx for the answer and help. :slight_smile:

In that case Suricata would have to reread logfiles from other instances.

In general what is done is that you have multiple instances that forward the logfiles to a central log sink, SIEM etc. where you process the alerts.

Your idea won’t help to reduce the amount of licenses, since the signatures need to be applied to the actual traffic that is seen on those instances. Having those signatures only on the primary Suricata server won’t help since the others won’t be able to run those signatures.

1 Like

Hello Andreas,
Thank you for the time to explain this.
I will proceed than with multiple Suricata sensors in container. :slight_smile:
Kind regards,
Vuk