Hi,
Suricata is logging his output to eve.json.
JSON is fine to be parsed.
Which tool do you recommend to post process it ? I heard something like jq or wazuh.
Thanks.
Bernd
Hi,
depends on what you have available.
For a command line processing jq is more than enough.
To visualize it you might want to use e.g. Evebox or hook it up to something like ELK stack.
My IDS is to monitor in maximum the network traffic 20 hosts. ELK seems to be oversized in my eyes. Evebox looks fine. But is it well maintained ? There doesn’t seem to be much activity in the project.
Bernd
IMO, even one host, once you go past just alert logging needs extra tooling to handle the alerts.
EveBox is still maintained, but short of some bugs, I think it’s close to “done” so the work that goes into is minimal until some new great ideas come along. I work on it in busts tho then sometimes don’t touch it for months at a time short of a breaking bug. It can use an SQLite backend, but you might generate too much for that, could try. But IMO, ELK is not oversized at all for 20 hosts.