topic Re: Suricata data in Getting Data In

Currently not seeing any eve.json data coming from the suricata box to the Splunk server

wyomoose — Sat, 14 Oct 2023 12:10:25 GMT

[monitor:///var/log/suricata/eve.json] disabled=true sourcetype= suricata index = suricata

Currently not seeing any eve.json data coming from the suricata box to the splunk server? We do get other logs like the syslog but no eve.json data? Tried throwing the TA out in the APPs folder on the server that didn't work. Added index = suricata to the server and it doesn't find it. Any help would be appreciated. Instructions on deploying the app would be nice.

Re: Suricata data

richgalloway — Thu, 12 Oct 2023 18:24:40 GMT

The input is disabled (disabled=true) so nothing will be read from the file. Set disabled=false and restart the Splunk instance.

Re: Suricata data

wyomoose — Thu, 12 Oct 2023 20:02:35 GMT

Thanks for the help. Changed it and still no eve.json data on the server.

Re: Currently not seeing any eve.json data coming from the suricata box to the Splunk server

PickleRick — Sat, 14 Oct 2023 12:13:04 GMT

Wait a second. Your description is a bit chaotic.

1. You say that you get other events from the suricata box. How are you ingesting them? Do you have forwarder installed on the suricata box?

2. Did you deploy the addon with the enabled input to the forwarder on the suricata box?

3. Did you verify the inputs on the forwarder?

splunk btool inputs list monitor splunk list monitor splunk list inputstatus

4. Did you check splunkd.log from the suricata box for errors regarding eve.json? (Especially permission-related ones)

Re: Suricata data

wyomoose — Sat, 14 Oct 2023 12:12:04 GMT

You say that you get other events from the suricata box. How are you ingesting them? Do you have forwarder installed on the suricata box?

Yes we have a Universal Forwarder on the suricata box. Currently it is set to monitor syslogs which we see in the search head web app.

2. Did you deploy the addon with the enabled input to the forwarder on the suricata box? Copied the TA to /opt/splunkforwarder/etc/apps/Ta-suricata on the suricata box.

3.3. Did you verify the inputs on the forwarder? yes

btool host= splunk-nat-sec, index= suricata, sourcetype = suricata, [monitor:///var/log/suricata/eve.json] splunk list monitor /var/log/suricata/eve.json, /var/log/syslog splunk list input status /var/log/suricata/eve.json, file position = 6824003470, file size = 143583971149, percent = 4.75, type = reading (batch) splunkd. log has Warn Tailreader [ tailreader0] - Enquueing a very large file=/var/log/suricata/eve.json ..... readinf of other large files could be delayed.

Then an INFO about trimming input to first line

Then an INFO about shutting down while reading file

/var/log/suricata/eve.json

Then INfO about Batch file input finished reading the file.

It isn't in a spot I can copy and paste. Maybe this is enough. Thanks for your help.

Re: Suricata data

PickleRick — Fri, 13 Oct 2023 06:10:40 GMT

And are you sure the data isn't being indexed with wrong timestamp? Did you check the index contents outside of the supposed time ranges.

Re: Suricata data

wyomoose — Fri, 13 Oct 2023 18:18:11 GMT

in a search of all time on the GUI nothing came up. Checked SplunkD on the server it has Failed to Parse TImeStamp in first MAX_TIMESTAMP_LOOKHEAD ....defaulting to timestamp of previous event...context: source=var/log/suricata.eve. It also complains about too many events with the same timestamp. So do we need to add json_no_timestamp somehwere maybe in a props file? Wouldn't the app tell it how to parse it?

Re: Suricata data

PickleRick — Fri, 13 Oct 2023 18:36:38 GMT

That's interesting though because my whole config for ingesting suricata's eve.log boils down to this:

[monitor:///var/log/suricata/eve.json]
disabled = false
host = backup
index = net
sourcetype = suricata

I don't even have anything configured for the suricata sourcetype. It just automatically gets parsed as json. I should get it configured more reasonably but it's my home lab server so I don't mind.

Re: Suricata data

wyomoose — Fri, 13 Oct 2023 18:46:00 GMT

Thats the input file on the suricata server? Do you have the Suricata-TA installed on the forwarder or the server or both or are you even using the Suricata-TA.

Re: Suricata data

PickleRick — Fri, 13 Oct 2023 18:49:09 GMT

That's the funny part - I don't even have the TA. But I admit I haven't really gotten to the "let's use that data in any way" part which means I didn't care for extractions or CIM-compliance. I wasn't even aware that there is a TA for suricata. I just added an input to pull the events to splunk and that's it.

Re: Suricata data

wyomoose — Fri, 13 Oct 2023 18:51:42 GMT

But on the server, you see the events, can search the event, etc? Guess what are you doing with the data?

Re: Suricata data

PickleRick — Fri, 13 Oct 2023 18:55:39 GMT

Yes, they are indexed, and I can search them, they are getting parsed as they are jsons so by default Splunk does autokv on json events.

Re: Suricata data

wyomoose — Fri, 13 Oct 2023 19:53:19 GMT

Thanks maybe we just need to chuck the TA and just do it your way. Thanks man

Re: Suricata data

PickleRick — Fri, 13 Oct 2023 20:00:53 GMT

Well, the TA seems to not have been updated for the last 5 years. Might be outdated.