Suricata Output to Kafka Error

Help
1

Hi All

I am trying to send suricata eve.json output to kafka
So I added a plugin for that foun don github

Now issue is that I am not getting any data in kafka . Topic is created , no error is shown when suricata runs . Also no data is written in eve.json that is present in logs folder which means it is sending data somewhere but it is known .
I am unable to find where those logs are going .

Anyone have worked with suricata and kafka can help in this.

Sharing a little of my suricata.yaml config

plugins:
  - /usr/local/lib/suricata/plugins/libkafka_output.so



# Configure the type of alert (and other) logging you would like.
outputs:
  # a line based alerts log similar to Snort's fast.log
  - fast:
      enabled: no
      filename: fast.log
      append: no
      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'

  # Extensible Event Format (nicknamed EVE) event log in JSON format
  - eve-log:
      enabled: yes
      filetype: kafka #regular|syslog|unix_dgram|unix_stream|redis
      filename: eve.json
      kafka:
        brokers: "172.50.33.194:6667,172.50.33.150:6667,172.50.33.122:6667"
        topic: suricata
        client-id: suricata_client_01
        buffer-size: 1024
2

Try adding this section immediately before the existing eve-log. This will add a second output for Suricata; alerts will be written to eve.json in the default-log-dir.

 # a line based log of HTTP requests (no alerts)
  - eve-log:
      enabled: yes
      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
      filename: eve.json
      types:
        - alert:
            # payload: yes             # enable dumping payload in Base64
            # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
            # payload-printable: yes   # enable dumping payload in printable (lossy) format
            # packet: yes              # enable dumping of packet (without stream segments)
            # metadata: no             # enable inclusion of app layer metadata with alert. Default yes
            # http-body: yes           # Requires metadata; enable dumping of HTTP body in Base64
            # http-body-printable: yes # Requires metadata; enable dumping of HTTP body in printable format

            # Enable the logging of tagged packets for rules using the
            # "tag" keyword.
            tagged-packets: yes
3

Hy but what about kafka output

4

You would have to talk to the author of the plugin