Ingesting suricata logs/alerts from an other host

[KhemaisKebaili]

Hello everyone!
I am running a standalone installation, and for the NIDS it's running on another box.
I am trying to send suricata logs/alerts from a pfsense box to securityOnion and I want them to be displayed in the alerts page.
So far I configured suricata on the pfsense box to output its alerts in eve format and I installed filebeat and configured it to send to SO's logstash.

I am fairly new to ELK in general, should I build a new pipeline for suricata in securityOnion to be able to ingest the data correctly or can I utilize the already built one in securityOnion to be able to ingest the suricata alerts from the remote pfsense box?

[cm-ops]

What does your Filebeat configuration look like for the Suricata logs, including your Logstash output?

Also want to throw this out there - most folks choose to have Security Onion monitor their network traffic and generate its own alerts rather than consuming alerts from other systems. This is easier, faster, and gives you better integration with the rest of the tools in Security Onion.

[KhemaisKebaili]

Hello and thank you for your reply!
I do understand that it is much more practical to have Security Onion generating its alerts rather than ingesting alerts , however we plan to have suricata running in IPS mode on our firewall and we'd like to have the alerts generated on the other system centralized with our HIDS alerts on the same interface in SO Alerts.
following this #5582 (comment) and as of now here's a portion of my filebeat configuration :
filebeat.inputs:
paths:
- path_to_the_suricata_log_folder/eve.json
fields:
module: suricata
dataset: common
category: network

------------------------------ Logstash Output -------------------------------

output.logstash:

The Logstash hosts

hosts: ["SOMANAGERIPADDRESS:5044"]
pipelines:
- pipeline: "%{[module]}.%{[dataset]}"
indices:
- index: "so-ids"
when.contains:
module: "suricata"

Optional SSL. By default is off.

List of root certificates for HTTPS server verifications

#ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]

Certificate for SSL client authentication

#ssl.certificate: "/etc/pki/client/cert.pem"

Client Certificate Key

#ssl.key: "/etc/pki/client/cert.key"

With this configuration and through Kibana it appears that I am ingesting the suricata logs when I use the discover features and filters using the event.module however I can't view the suricata Alerts in the Alerts interface or in the Kibana alert dashboard. Maybe it's a different dataset than the one I put in my configuration. I am not so sure.

What is the best way to utilize the already built suricata pipeline in such usecase? Thank you in advance!

[cm-ops]

As long as Logstash can identify them correctly they should get to the Suricata ingest pipeline. You can take a look at the inputs, etc. in /opt/so/saltstack/default/salt/logstash/pipelines/config/so/

[KhemaisKebaili]

I was missing the preprocessors in the inputs configuration of the filebeat :
processors:

• drop_fields:
  fields: ["source", "prospector", "input", "offset", "beat"]

It was resolved when I copied the same configuration present in the filebeat.yml under /salt/filebeat/etc over on the remote box.

Thank you for your answer!

[thedeadliestcatch]

@KhemaisKebaili Could you share or make a gist of your config? Are you using filebeat? For example, the pfsense integration is completely lacking in support for Suricata (including eve) logs. It's duplicative to send both syslog and filebeat outputs to SO, but there is no documented way to ingest Suricata logs via syslog, or cloning them from the pfsense pipeline.