Coexistence of Zeek and Suricata and maintenance of alerts. #1908
-
|
Hi, My name is Angel and I wanted to ask you if it is possible that the two tools indicated in the subject can coexist in the same system or if, otherwise, you recommend using one or the other. On the other hand, right now I have a solution in production of Security Onion 2.3. In previous versions there was a file called "security.conf" where I could limit the number of days I could maintain alerts in the console. Thank you very much. Best regards, |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
|
Most Security Onion users run both Zeek and Suricata at the same time with Suricata providing NIDS alerts and Zeek providing network metadata. In Security Onion 2.3, all alerts go into Elasticsearch and so alert retention is managed by For more information, please see: |
Beta Was this translation helpful? Give feedback.
-
|
Good morning Doug, Thank you for your quick response. So, should I do a clean install of Zeek to see it in Elasticsearch or should I do it some other way? I would appreciate any helpful literature to help me implement both methods. Thanks for the information about Curator, I'm going to study it. Best regards, |
Beta Was this translation helpful? Give feedback.
-
|
Yes, you can try a clean install. |
Beta Was this translation helpful? Give feedback.
Most Security Onion users run both Zeek and Suricata at the same time with Suricata providing NIDS alerts and Zeek providing network metadata.
In Security Onion 2.3, all alerts go into Elasticsearch and so alert retention is managed by
curator. By default,curatorcloses Elasticsearch indices once they reach 30 days. Curator also checks disk usage so if you reachlog_size_limit, it will start deleting old indices to prevent filling your disk.For more information, please see:
https://docs.securityonion.net/en/2.3/elasticsearch.html
https://docs.securityonion.net/en/2.3/curator.html?highlight=curator