External log capability in Suricata/snort??

  • Hi there

    Looking to export IDS/IPS logs to an external server. Any ideas??

    Thinking of building a heatmap on elasticsearch for visualizing the logs and beeing able to show them on a specific IP.

  • The only external export methods currently supported are syslog (in both packages) and Redis (in Suricata only). Most exporting from Suricata depends on the EVE JSON logging options being enabled.

    I strongly discourage the use of the Barnyard2 option as that package has not been maintained and hasn't been updated in FreeBSD ports in years. I plan to remove it from both Snort and Suricata in the near future due to security vulnerabilities in the MySQL database client dependency it drags in.

    Although there is no official pfSense GUI package for it, there is a logstash-forwarder port in FreeBSD ports that might work for you to get Suricata data over to an ELK stack.

  • Thks :)

Log in to reply