Suricata
Overview
Suricata is a free and open source, mature, fast and robust network threat detection engine. Suricata inspects the network traffic using a powerful and extensive rules and signature language, and has powerful Lua scripting support for detection of complex threats.
Event Categories
The following table lists the data source offered by this integration.
Data Source | Description |
---|---|
Network device logs |
The multiple kinds of logs offered by suricata provide a good overview of the network activity |
Network intrusion detection system |
The alert logs give information about events that matched a rule in the NIDS |
Network protocol analysis |
The multiple kind of logs offered by suricata offer a good overview of the network activity |
Web logs |
Suricata http.log provides many web information like the connected client, the requested resource or even the user agent |
DNS records |
If enabled Suricata can log DNS queries and answers |
SSL/TLS certificates |
If enabled Suricata may log information about the TLS certificates |
Configure
Suricata leverages its EVE output module to report alerts, metadata, file info and protocol records in JSON. As described in the official documentation, this module can report its findings through the syslog facility.
Configure Suricata to forward events to rsyslog
Open the Suricata configuration file (please note that the path to the configuration file may change depending on the OS and your configuration):
sudo vim /etc/suricata/suricata.yaml
Paste the following declaration in your suricata configuration to trigger the production of syslog entries under the local5
facility:
outputs:
- eve-log:
enabled: yes
type:syslog
identity: suricata
facility: local5
level: Info
types:
- alert
- http
- dns
- tls
Configure the Rsyslog server
Given this Suricata configuration, your local rsyslog server will handle produced records. Please consult the Rsyslog Transport documentation to forward these logs to Sekoia.io.