Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Edit the suricata*.yaml files so it creates a log file of the events/alerts
- sudo vi /opt/unifi/ips/config/suricata_low.yaml
- sudo vi /opt/unifi/ips/config/suricata_high.yaml
- add the section between the comments below in the 2 files.
- outputs:
- # everything below here
- - eve-log:
- enabled: yes
- filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
- filename: eve_filebeat.json
- filemode: 666
- # the following are valid when type: syslog above
- #identity: "suricata"
- #facility: local5
- #level: Info ## possible levels: Emergency, Alert, Critical,
- ## Error, Warning, Notice, Info, Debug
- types:
- - alert
- - http:
- extended: yes # enable this for extended logging information
- - dns
- - tls:
- extended: yes # enable this for extended logging information
- - files:
- force-magic: yes # force logging magic on all logged files
- force-md5: yes # force logging of md5 checksums
- - drop
- - ssh
- - smtp
- - flow
- # everything above here
- - eve-log:
- enabled: yes
- filetype: unix_dgram #regular|syslog|unix_dgram|unix_stream|redis
- filename: eve_stat.json
- Install Filebeat as you have discribed but enable the suricata module.
- FOR THE SURICATA.YML MODULE
- # Module: suricata
- # Docs: https://www.elastic.co/guide/en/beats/filebeat/7.6/filebeat-module-suricata.html
- - module: suricata
- # All logs
- eve:
- enabled: true
- # Set custom paths for the log files. If left empty,
- # Filebeat will choose the paths depending on your OS.
- var.paths: ["/var/log/suricata/eve_filebeat.json"]
- To run filebeat even disconnected. > I don't know how to get filebeat in as a service if someone can share that.
- nohup /home/YOURACCOUNT/filebeat/filebeat run -c /home/YOURACCOUNT/filebeat/filebeat.yml >/dev/null 2>&1 &
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement