Using Telegraf to ship Snort or Suricata logs
I noticed recently thst there istelegraf package with Pfsense, i wonder did anyone used its log parser input plugin to ship either Snort or Suricata logs ?
If yes, did you use influxdb or Es , can influxdb can give same functionality as Es does?
tiny6996 last edited by
I use the log parser for pfblockerng currently and I am looking at adding support for snort. telegraf has a bunch of nice input plugins so you can use grok patterns, CSVs with custom headers, syslog, and more with telegraf. I will link you the dashboard I use and a list of telegraf inputs.
- telgraf and grafana dashboard
I like using telegraf and inluxdb over ES since it is easier to setup and grafana and the chronograf is way more responsive and easier to use than kibana.
bmeeks last edited by bmeeks
The next update to the Suricata 5.x package on pfSense will contain a new option for configuring Suricata to export performance stats over a Unix socket to Telegraf. It will support the
Suricata can produce EVE JSON logs, and that data can be either written to a conventional text file or it can be made available to a Unix socket. So if someone produces a log data parser for EVE JSON, then Suricata can easily be adapted to feed data over the Unix socket. I am not familiar with Telegraf since I've never used it. So I don't know what it is capable of in terms of digesting Suricata's EVE JSON logs. The new feature I mentioned came from a Redmine Feature Request submitted a while back. And that request was specifically for Suricata performance stats (things like packets processed, packets dropped due to load, etc.).