Forwarding Suricata Events (alerts) to External SIEM

[njaravelil]

I folowed the link https://docs.securityonion.net/en/latest/logstash.html?highlight=forwarding#modified-event-forwarding for this topic, but didnt have much success. Any such inputs will be appreciated.

[InfosecGoon]

You probably want to use these instructions instead: https://docs.securityonion.net/en/latest/logstash.html#original-event-forwarding

Try this for the custom pipeline:

output {
  if [module] =~ "suricata" {
    udp {
      id => "cloned_events_out"
      host => "192.168.x.x"
      port => 1001
      codec => "json_lines"
    }
  }
}

[krshnn]

did you get this working??

seems like the pipeline conf is getting removed at every restart, I suppose something has to be done on the salt.