pfsense suricata alerts log ingestion into SO

[KhemaisKebaili]

Hello there!
I am fairly new to using SO and SIEMs in general, was wondering the following and I wanted to do some research before starting implementing but couldn't find anything relevant to what I was hoping to do!

I have a pfsense firewall on which I am running suricata with the ETOpen and snort rule sets. If I want the alerts that are raised by suricata on pfsense to be shown in the alerts tab of the security Onion Console, should I use syslog to forward the alerts or use filebeat and to send the alerts to SO?
Please do correct me if my approach is wrong when it comes to ingesting the alerts.

Thanks in advance for any clarification!

[robbiemarshall]

If you're just wanting to send Suricata alerts, the Suricata filebeat module is what you'll want to utilize. The documentation can be found here: https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-suricata.html, with additional documentation of how to install and configure filebeat on your PFSense platform here: https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-installation-configuration.html

[KhemaisKebaili]

Thank you for pointing me in this direction , from what you've suggested I understand that I need to setup filebeat with the suricata module and an elasticsearch pipeline, can't I utilize the pipeline that comes OOTB with SO in that case? Also, by installing a suricata module , I'll be having a dedicated dashboard in Kibana, though I would like if there's a possibility to integrate the alerts that I'll be ingesting in the Alerts tool that SO provides so I would have a centralized overview of all my HIDS and Suricata as my NIDS/NIPS in one place.