Suricata is a free and open source, mature, fast and robust network threat detection engine. Suricata inspects the network traffic using a powerful and extensive rules and signature language, and has powerful Lua scripting support for detection of complex threats.
The following table lists the data source offered by this integration.
||The multiple kinds of logs offered by suricata provide a good overview of the network activity|
||The alert logs give information about events that matched a rule in the NIDS|
||The multiple kind of logs offered by suricata offer a good overview of the network activity|
||Suricata http.log provides many web information like the connected client, the requested resource or even the user agent|
||If enabled Suricata can log DNS queries and answers|
||If enabled Suricata may log information about the TLS certificates|
Suricata leverages its EVE output module to report alerts, metadata, file info and protocol records in JSON. As described in the official documentation, this module can report its findings through the syslog facility.
Configure Suricata to forward events to rsyslog
Open the Suricata configuration file (please note that the path to the configuration file may change depending on the OS and your configuration):
sudo vim /etc/suricata/suricata.yaml
Paste the following declaration in your suricata configuration to trigger the production of syslog entries under the
outputs: - eve-log: enabled: yes type:syslog identity: suricata facility: local5 level: Info types: - alert - http - dns - tls
Configure the Rsyslog server
Given this Suricata configuration, your local rsyslog server will handle produced records. Please consult the Rsyslog Transport documentation to forward these logs to SEKOIA.IO.