@ -2,14 +2,17 @@ Logstash Kibana and Suricata JSON output
========================================
With the release of Suricata 2.0rc1 , Suricata introduces all JSON output capability.
What is JSON - http://en.wikipedia.org/wiki/JSON
What is JSON - http://en.wikipedia.org/wiki/JSON
One way to handle easily Suricata's JSON log outputs is through Kibana - http://kibana.org/ :
> Kibana is a highly scalable interface for Logstash (http://logstash.net/) and ElasticSearch (http://www.elasticsearch.org/) that allows you to efficiently search, graph, analyze and otherwise make sense of a mountain of logs.
>
::
Kibana is a highly scalable interface for Logstash (http://logstash.net/) and ElasticSearch (http://www.elasticsearch.org/) that allows you to efficiently search, graph, analyze and otherwise make sense of a mountain of logs.
The installation is very simple/basic start up with minor specifics for ubuntu. You can be up and running, looking through the logs in under 5 min.
The downloads can be found here - http://www.elasticsearch.org/overview/elkdownloads/
This is what yo need to do.
@ -38,7 +41,7 @@ Make sure your Suricata is compiled/installed with libjansson support enabled:
CUDA enabled: no
...
If it isn't check out the [[Suricata_installation]] page to install or compile Suricata for your distribution.
If it isn't check out the [[**FIXME**Suricata_installation]] page to install or compile Suricata for your distribution.
**NOTE:** you will need these packages installed -> **libjansson4** and *libjansson-dev* before compilation.
From here on if you would like to customize and familiarize yourself more with the interface you should read the documentation about Kibana and Logstash.
Please have in mind that this is a very quick(under 5 min) tutorial. You should customize and review the proper way for you of using it as a service and/or consider using *httpS web interface and reversy proxy with some authentication*.
Please have in mind that this is a very quick(under 5 min) tutorial. You should customize and review the proper way for you of using it as a service and/or consider using **httpS web interface and reversy proxy with some authentication**.
Some possible customization of the output of Logstash and Kibana - >
Some possible customization of the output of Logstash and Kibana
@ -29,8 +29,8 @@ For MySQL make sure you create a db and a table:
OPTIONALLY - if you would like you can add in the MD5 whitelist table and import the data as described here ( [[Filemd5 and white/black listing with MD5]] )
OPTIONALLY - if you would like you can add in the MD5 whitelist table and import the data as described here :ref:`FileMD5 and white/black listing with md5 <filemd5-listing>`
now you can go ahead and execute the script - [[Script FollowJSON]]
now you can go ahead and execute the script - :ref:`Script FollowJSON <script-follow-json>`
@ -67,14 +67,14 @@ Log out and log in again (with the "filejson" user) to test if everything is ok:
Optionally you could create and import the MD5 white list data if you wish - generally the same guidance as described in:
[[Filemd5 and white/black listing with MD5]]
Optionally you could create and import the MD5 white list data if you wish - generally the same guidance as described in :ref:`FileMD5 and white/black listing with md5 <filemd5-listing>`
Some more general info and basic commands/queries:
Andreas Herz
10 years ago
committed by
Victor Julien