Forwarding Suricata Logs to ELK or Graylog

Greyhat

I found currebntly no solution to forward Suricata logs in complete JSON format to an external logger.
There were suggestions to add the FreeBSD sources to PKG but this enden with my 2.8.1 with a corrupted system with version mismatches.
All other treads are more than 5 years old and have no real solution.
Anyone managed to forward the logs?
Regrads
Grayhat

b3rt

@Greyhat
I'm on the lookout for a solution too...
Plan to keep looking.
Am unwilling to tinker with an agent on the pfsense box.
Forwarding EVE JSON via syslog is an option in the config.
<update>
The JSON in system log GUI is not pretty...
Then again, once it's in system log, you can FWD it.
Will need parsing.
Make sure to tune your rules to avoid this type of alert tsunami...

Greyhat

@b3rt
Unfortunately BSD Syslog truncates messages to 760 Bytes. so this will not always work. Also when testing I did not get Suricata to log JSON into syslog.

b3rt

@Greyhat
I think it's useful to work with what we've got and figure something out for the (i hope) edge cases later.
So for the JSON I figured you can actually use an existing suricata integration by co-opting their pipelines.