Suricata
Suricata is network monitor with a rule matching engine to detect threats.
Use Tenzir to acquire, process, and store Suricata logs.
Ingest EVE JSON logs into a node
EVE JSON is the log format in which Suricata generates events.
A typical Suricata configuration looks like this:
outputs:
# Extensible Event Format (nicknamed EVE) event log in JSON format
- eve-log:
enabled: yes
filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
filename: eve.json
The filetype
setting determines how you'd process the log file.
Import from a file
By default, Suricata uses the file type regular
. Ingest into a node as
follows:
load_file "/path/to/eve.json"
read_suricata
import
Import from a Unix domain socket
If your filetype
setting is unix_stream
, you need to create a Unix domain
socket first, e.g., like this:
nc -U -l /tmp/eve.socket
Then you can use the same pipeline as above, since Tenzir automatically detects the file type.