Suricata with ELK Stack

ashokdev7 · December 6, 2021, 6:43am

Hi need a little help,
I recently install elk stack and configured it with my Suricata .
But now I am not getting any new alerts/events in Kibana Dashboard .
It only shows logs which were present on the day I installed elk .
Even in Kibana Dashboard it shows that suricata logs module is enabled and working .

ish · December 6, 2021, 10:26pm

There are quite a few ways to deploy the Elastic stack so we’ll need a little more detail…

First, are you using a sufficiently generate index pattern? Something like logstash-* or filebeat-*?

Are you using Logstash or Filebeat? If Filebeat, are you using the Suricata plugin or not?

ashokdev7 · December 7, 2021, 5:56am

Hi Jason ,

I have followed this article .
Not sure about index pattern where to check it
In filebeat I have enabled suricata module .
using logstash and filebeat both

ish · December 7, 2021, 2:56pm

The index pattern is something Kibana makes you create before you can do anything. If you go to the “Discover” section you’ll see it near the left top… Probably filebeat-* if you went with that doc above. Just make sure its filebeat-* and not something like filebeat-YYYY.MM.DD which would limit the search results to one day.

There’s a lot of parts in the how to that I’m not sure I can help with tho.

I guess you should also check if Suricata is still logging? Check /var/log/suricata/eve.json, tail it to make sure new logs are being written to it. As long as you have some traffic on the interface, you should get flow logs.

Sorry, not sure if I’m much help beyond that, my experience with the Filebeat Suricata module hasn’t been that great, and I’ve often found ELK easier to re-install than debug to fix issues.

ashokdev7 · December 8, 2021, 8:03am

Hey , Filebeat-* is already there and I can see recent logs in eve.json also . not sure what’s the issue here

Jochen_Haaf · December 9, 2021, 9:37am

Hi,

is logstash running?
It´s also possible to run this setup without logstash, maybe try to reconfigure your filebeat setup to only have the kibana setup and the output for elasticsearch.
For example: deinstall filebeat, remove all filebeat configs, install filebeat new and run only filebeat setup and filebeat modules enable suricata

florinsfetea · December 17, 2021, 2:47pm

Why not use the integration for Suricata ?

Topic		Replies	Views
Discussion about Suricata Help rules	3	276	January 17, 2023
Integrate Suricata with ELK Help	2	424	August 24, 2022
Issue integrating suricata with elkstack	3	60	March 22, 2024
Visualization of Suricata-IDS logs Help	8	2673	March 5, 2021
Suricata no longer write into Eve files Help	2	1836	May 7, 2021

Suricata with ELK Stack

Related Topics