Using Telegraf to ship Snort or Suricata logs
-
Hello,
I noticed recently thst there istelegraf package with Pfsense, i wonder did anyone used its log parser input plugin to ship either Snort or Suricata logs ?
If yes, did you use influxdb or Es , can influxdb can give same functionality as Es does?
Please advise
Thanks -
I use the log parser for pfblockerng currently and I am looking at adding support for snort. telegraf has a bunch of nice input plugins so you can use grok patterns, CSVs with custom headers, syslog, and more with telegraf. I will link you the dashboard I use and a list of telegraf inputs.
- telgraf and grafana dashboard
- https://docs.influxdata.com/telegraf/v1.14/plugins/plugin-list/
I like using telegraf and inluxdb over ES since it is easier to setup and grafana and the chronograf is way more responsive and easier to use than kibana.
-
The next update to the Suricata 5.x package on pfSense will contain a new option for configuring Suricata to export performance stats over a Unix socket to Telegraf. It will support the
input.suricataplugin.Suricata can produce EVE JSON logs, and that data can be either written to a conventional text file or it can be made available to a Unix socket. So if someone produces a log data parser for EVE JSON, then Suricata can easily be adapted to feed data over the Unix socket. I am not familiar with Telegraf since I've never used it. So I don't know what it is capable of in terms of digesting Suricata's EVE JSON logs. The new feature I mentioned came from a Redmine Feature Request submitted a while back. And that request was specifically for Suricata performance stats (things like packets processed, packets dropped due to load, etc.).
