Suricata Output to Kafka Error

Hacker7 · April 15, 2022, 6:14am

Hi All

I am trying to send suricata eve.json output to kafka
So I added a plugin for that foun don github

Now issue is that I am not getting any data in kafka . Topic is created , no error is shown when suricata runs . Also no data is written in eve.json that is present in logs folder which means it is sending data somewhere but it is known .
I am unable to find where those logs are going .

Anyone have worked with suricata and kafka can help in this.

Sharing a little of my suricata.yaml config

plugins:
  - /usr/local/lib/suricata/plugins/libkafka_output.so



# Configure the type of alert (and other) logging you would like.
outputs:
  # a line based alerts log similar to Snort's fast.log
  - fast:
      enabled: no
      filename: fast.log
      append: no
      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'

  # Extensible Event Format (nicknamed EVE) event log in JSON format
  - eve-log:
      enabled: yes
      filetype: kafka #regular|syslog|unix_dgram|unix_stream|redis
      filename: eve.json
      kafka:
        brokers: "172.50.33.194:6667,172.50.33.150:6667,172.50.33.122:6667"
        topic: suricata
        client-id: suricata_client_01
        buffer-size: 1024

Jeff_Lucovsky · April 15, 2022, 12:33pm

Try adding this section immediately before the existing eve-log. This will add a second output for Suricata; alerts will be written to eve.json in the default-log-dir.

 # a line based log of HTTP requests (no alerts)
  - eve-log:
      enabled: yes
      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
      filename: eve.json
      types:
        - alert:
            # payload: yes             # enable dumping payload in Base64
            # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
            # payload-printable: yes   # enable dumping payload in printable (lossy) format
            # packet: yes              # enable dumping of packet (without stream segments)
            # metadata: no             # enable inclusion of app layer metadata with alert. Default yes
            # http-body: yes           # Requires metadata; enable dumping of HTTP body in Base64
            # http-body-printable: yes # Requires metadata; enable dumping of HTTP body in printable format

            # Enable the logging of tagged packets for rules using the
            # "tag" keyword.
            tagged-packets: yes

Hacker7 · April 18, 2022, 7:02am

Hy but what about kafka output

Andreas_Herz · April 18, 2022, 9:47pm

You would have to talk to the author of the plugin

Topic		Replies	Views
Suricata http event and alert event output seem not correct! Help suricata	10	755	June 18, 2024
How can we stream suricata logs to a port Help	5	1442	March 24, 2022
Eve.json only shows "event_type":"flow" Help	7	1594	October 22, 2020
Suricata 6.0.9 on Ubuntu 22.04 not getting traffic at all Help	11	999	December 24, 2022
Suricata, HTTP request/response data is not outputting to eve-log, is there any way? Help community , suricata	3	75	August 13, 2024

Suricata Output to Kafka Error

Related topics