Suricata + ELK5 + KTS5
This is simple manual how to setup SELK5
- Suricata - is a free and open source, mature, fast and robust network threat detection engine.
- ElasticSearch - is a distributed, RESTful search and analytics engine capable of solving a growing number of use cases.
- Logstash - is an open source, server-side data processing pipeline that ingests data from a multitude of sources simultaneously, transforms it, and then sends it to elasticsearch.
- Kibana - is an open source data visualization plugin for Elasticsearch.
- Filebeat - is a log data shipper for local files. Installed as an agent on your servers, Filebeat monitors the log directories or specific log files.
- KTS5 - are templates for Kibana5.
Suricata
Make sure that next block is present in /etc/suricata/suricata.yaml:
# Extensible Event Format (nicknamed EVE) event log in JSON format
- eve-log:
enabled: yes
filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
filename: eve.json
....
- http:
extended: yes # enable this for extended logging information
# custom allows additional http fields to be included in eve-log
# the example below adds three additional fields when uncommented
#custom: [Accept-Encoding, Accept-Language, Authorization]
custom: [accept, accept-charset, accept-encoding, accept-language,
accept-datetime, authorization, cache-control, cookie, from,
max-forwards, origin, pragma, proxy-authorization, range, te, via,
x-requested-with, dnt, x-forwarded-proto, accept-range, age,
allow, connection, content-encoding, content-language,
content-length, content-location, content-md5, content-range,
content-type, date, etags, last-modified, link, location,
proxy-authenticate, referrer, refresh, retry-after, server,
set-cookie, trailer, transfer-encoding, upgrade, vary, warning,
www-authenticate]
Filebeat
Add the next lines to /etc/filebeat/filebeat.yml:
filebeat:
prospectors:
- input_type: log
paths:
- "/var/log/suricata/eve.json"
fields:
application: suricata
fields_under_root: true
json.message_key: log
json.keys_under_root: true
json.overwrite_keys: true
output:
logstash:
# The Logstash hosts
hosts: ["10.10.10.10:5000"]
Logstash
Add the next lines to /etc/logstash/logstash.yml
input {
beats {
port => 5000
codec => "json_lines"
}
}
filter {
if [application] == "suricata" {
date {
match => [ "timestamp", "ISO8601" ]
}
ruby {
code => "
if event.get('[event_type]') == 'fileinfo'
event.set('[fileinfo][type]', event.get('[fileinfo][magic]').to_s.split(',')[0])
end
"
}
if [src_ip] {
geoip {
source => "src_ip"
target => "geoip"
database => "/etc/logstash/GeoLite2-City.mmdb"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float" ]
}
if ![geoip.ip] {
if [dest_ip] {
geoip {
source => "dest_ip"
target => "geoip"
database => "/etc/logstash/GeoLite2-City.mmdb"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float" ]
}
}
}
}
}
}
output {
else if [application] == "suricata" {
elasticsearch {
hosts => ["localhost:9200"]
index => "suricata-%{+YYYY.MM.dd}"
document_type => "suricata"
template => "/etc/logstash/elasticsearch5-template.json"
template_overwrite => true
}
}
}
/etc/logstash/elasticsearch5-template.json
{
"template" : "suricata-*",
"version" : 50001,
"settings" : {
"number_of_replicas": 0,
"index.refresh_interval" : "5s"
},
"mappings" : {
"_default_" : {
"_all" : {"enabled" : true, "norms" : false},
"dynamic_templates" : [ {
"message_field" : {
"path_match" : "message",
"match_mapping_type" : "string",
"mapping" : {
"type" : "text",
"norms" : false
}
}
}, {
"string_fields" : {
"match" : "*",
"match_mapping_type" : "string",
"mapping" : {
"type" : "text", "norms" : false,
"fields" : {
"keyword" : { "type": "keyword", "index": "not_analyzed", "ignore_above": 256 },
"raw" : { "type": "keyword", "index": "not_analyzed", "ignore_above": 256 }
}
}
}
} ],
"properties" : {
"@timestamp": { "type": "date", "include_in_all": false },
"@version": { "type": "keyword", "include_in_all": false },
"geoip" : {
"dynamic": true,
"properties" : {
"ip": { "type": "ip" },
"location" : { "type" : "geo_point" },
"latitude" : { "type" : "half_float" },
"longitude" : { "type" : "half_float" }
}
},
"dest_ip": {
"type": "ip",
"fields": {
"raw": {"index": "not_analyzed", "type": "keyword"},
"keyword": {"index": "not_analyzed", "type": "keyword"}
}
},
"src_ip": {
"type": "ip",
"fields": {
"raw": {"index": "not_analyzed", "type": "keyword"},
"keyword": {"index": "not_analyzed", "type": "keyword"}
}
}
}
}
}
}
GeoLite2-City.mmdb you can find here https://dev.maxmind.com/geoip/geoip2/geolite2/
Unpack and place it there /etc/logstash/GeoLite2-City.mmdb
Kibana
Download Kibana templates KTS
unzip archive
wget https://github.com/aspel/KTS5/archive/master.zip
unzip master.zip
cd KTS5-master
./load.sh
