KTS5 icon indicating copy to clipboard operation
KTS5 copied to clipboard
verified publisher icon StamusNetworks

Question About logstash

Open alexforero opened this issue 8 years ago • 4 comments

Hello,

I'm newbie on ELK but I dont have clear how I can transmit suricata logs to elasticsearch.

Do you use logstash? any other way?

Thank you

alexforero avatar Jul 13 '17 12:07 alexforero

You can use logstash or filebeat. There are plenty of how tos on the net if you search around. https://www.elastic.co/products https://www.elastic.co/webinars/introduction-elk-stack

pevma avatar Jul 13 '17 12:07 pevma

Hi Alex, I think the easiest way is to use logstash to parse your suricata logs. Logstash will create elasticsearch indexes that later on you can use to visualize things on Kibana.

Check the following logstash.conf as an example (you might need to fix some filters. Haven't tested that conf lately): https://github.com/StamusNetworks/SELKS/blob/master/staging/etc/logstash/conf.d/logstash.conf

It reads suricata logs at the default folder: path => ["/var/log/suricata/*.json"] And creates logstash-* indexes: index => "logstash-%{event_type}-%{+YYYY.MM.dd}"

rcfontana avatar Jul 13 '17 12:07 rcfontana

Thank you rcfontana.

I was looking exactly for https://github.com/StamusNetworks/SELKS/blob/master/staging/etc/logstash/conf.d/logstash.conf

alexforero avatar Jul 13 '17 12:07 alexforero

Thanks @rcfontana ! Sorry @alexforero - I missed that you are interest of how exactly SELKS does it not in general.

pevma avatar Jul 13 '17 12:07 pevma