From syslog input (or Pfsense integration) with Suricata events to Logstash (consuming external Suricata logs into SO)

[thedeadliestcatch]

The pfSense integration does not support Suricata logs being sent over via the syslog listener.

Is there a way with 2.4 to ingest Suricata logs from Pfsense?

Either from the same pipeline for the pfSense integration or by setting up an additional logging target (which can be done to separate the Suricata messages)

Beats has been removed mostly, and there is no documentation on setting it up for 2.4 or adding additional inputs to Logstash. ELastic Agent does not work on FreeBSD.

A workaround is to setup syslog-ng in a host and then send over the Suricata logs, installing Elastic Agent alongside that, but that's a questionable solution.

[TOoSmOotH]

This is something I was looking at a couple of weeks ago. The issue is the way pfsense/opnsense formats the logs. For some reason it is not recognized and parsed properly by the Suricata input plugin. If we modify the default input plugin then that will break standard Suricata logs. Might not be a bad thing but we are still looking into it.

[thedeadliestcatch]

Could you describe how the Suricata input is actually engaging from the pfSense integration? I don't see the path in the pipelines in ES.

I do think this is a major feature to support, especially in virtualized labs or deployments where several edge firewalls might be supplying EVE logs directly. The idea of running several forward nodes is fantastic, but it is not practical in many real-world setups where you want aggregation of multiple loggers. This is how NetFlow/sFlow probes work too, and in fact, the major/established products like nProbe all operate in this fashion: a "fan out" node can supply flow data to several consumers. This provides both redundant monitoring and replication of events.

[thedeadliestcatch]

@TOoSmOotH Any updates?

[TOoSmOotH]

#12653