Question About logstash

[alexforero]

Hello,

I'm newbie on ELK but I dont have clear how I can transmit suricata logs to elasticsearch.

Do you use logstash? any other way?

Thank you

[pevma]

You can use logstash or filebeat.
There are plenty of how tos on the net if you search around.
https://www.elastic.co/products
https://www.elastic.co/webinars/introduction-elk-stack

[rcfontana]

Hi Alex,
I think the easiest way is to use logstash to parse your suricata logs. Logstash will create elasticsearch indexes that later on you can use to visualize things on Kibana.

Check the following logstash.conf as an example (you might need to fix some filters. Haven't tested that conf lately):
https://github.com/StamusNetworks/SELKS/blob/master/staging/etc/logstash/conf.d/logstash.conf

It reads suricata logs at the default folder:
path => ["/var/log/suricata/*.json"]
And creates logstash-* indexes:
index => "logstash-%{event_type}-%{+YYYY.MM.dd}"

[alexforero]

Thank you rcfontana.

I was looking exactly for https://github.com/StamusNetworks/SELKS/blob/master/staging/etc/logstash/conf.d/logstash.conf

[pevma]

Thanks @rcfontana !
Sorry @alexforero - I missed that you are interest of how exactly SELKS does it not in general.