Using Suricata with ES

When I install Suricata,is it came with Elastic Search?All the Pcap that I insert to Suricata actually insert to ES? (all the payload of the Pcap or only metadata)?

If yes,How can I search into ES without Suricata about session payload that contains “HELLO WORLD” into payload for example


Suricata does not come with, or integrate directly with Elasticsearch.

Suricata does output a log file, by default this log file is /var/log/suricata/eve.json. Tools such as Logstash and Filebeat can process those log files and send them to Elasticsearch. However, Suricata does not log all packet payload, so you may not get what you are after. It does log metadata about what is happening, and it can log a portion of the payload if an alert triggers.

@ish Thank you so much about your reply.

When I add signature about packet payload like

alert ip any any → any any (msg:“TCP side 2”; content:“Hi friend”; flowbit:isset, placeholdername; sid:2;)

Suricata will parse the payload and write to log that 123.pcap has been alerted without writing the payload?

What is the recommended stack to save and analysis the logger?
GitHub - robcowart/synesis_lite_suricata: Suricata IDS/IPS log analytics using the Elastic Stack. ?

If Suricata doesn’t has any DB so each time I see in Suricata all pcap that I added into Suricata or last X alert , Suricata just read the log file?

By default the payload is not logged. Look at the - alert' section under eve-logand you can turn on options to enable payload logging for alerts. You can usepayloadto get loss-less payload logging in base64, orpayload-printable` to just log the printable characters.

Not that when running on live traffic there will be no pcap name in the log file.

Filebeat reading the eve.json and writing to Elasticsearch is pretty common.

Generally, Suricata uses pcap files or a network interface, and outputs an eve.json. In simple terms that is all. It will be up to you and your tool as to what to do with that output file.