Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Suricata logs converted from unified2 to json for Splunk

Splunk0n
New Member
‎02-22-2018 10:55 AM

Hello Splunkers and @niemesrw - I am trying to get my Suricata logs converted from unified2 to json for Splunk. I saw @niemesrw successfully got it to work hence why I'm reaching out.

I follow this guidance http://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html
- section 12.1.1. Eve JSON Output.

I am still unable to get this converted. Below is my current configuration. Can somebody please assist?

Many thanks and I know its more a Suricata conversation issue.

# Extensible Event Format (nicknamed EVE) event log in JSON format
- eve-log:
enabled: yes
filetype: file #file|syslog|unix_dgram|unix_stream|redis
filename: eve.json
#prefix: "@cee: " # prefix to prepend to each log entry
# the following are valid when type: syslog above
#identity: "suricata"
#facility: local5
#level: Info ## possible levels: Emergency, Alert, Critical,
## Error, Warning, Notice, Info, Debug
#redis:
# server: 127.0.0.1
# port: 6379
# mode: list ## possible values: list (default), channel
# key: suricata ## key or channel to use (default to suricata)
# Redis pipelining set up. This will enable to only do a query every
# 'batch-size' events. This should lower the latency induced by network
# connection at the cost of some memory. There is no flushing implemented
# so this setting as to be reserved to high traffic suricata.
# pipelining:
# enabled: yes ## set enable to yes to enable query pipelining
# batch-size: 10 ## number of entry to keep in buffer
types:
- alert:
# payload: yes # enable dumping payload in Base64
# payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
# payload-printable: yes # enable dumping payload in printable (lossy) format
# packet: yes # enable dumping of packet (without stream segments)
http: yes # enable dumping of http fields
tls: yes # enable dumping of tls fields
ssh: yes # enable dumping of ssh fields
smtp: yes # enable dumping of smtp fields

        # HTTP X-Forwarded-For support by adding an extra field or overwriting
        # the source or destination IP address (depending on flow direction)
        # with the one reported in the X-Forwarded-For HTTP header. This is
        # helpful when reviewing alerts for traffic that is being reverse
        # or forward proxied.
      xff:
          enabled: no
          # Two operation modes are available, "extra-data" and "overwrite".
          mode: extra-data
          # Two proxy deployments are supported, "reverse" and "forward". In
          # a "reverse" deployment the IP address used is the last one, in a
          # "forward" deployment the first IP address is used.
          deployment: reverse
          # Header name where the actual IP address will be reported, if more
          # than one IP address is present, the last IP address will be the
          # one taken into consideration.
          header: X-Forwarded-For
    - http:
        extended: yes     # enable this for extended logging information
        # custom allows additional http fields to be included in eve-log
        # the example below adds three additional fields when uncommented
        #custom: [Accept-Encoding, Accept-Language, Authorization]
    - dns
    - tls:
        extended: yes     # enable this for extended logging information
    - files:
        force-magic: no   # force logging magic on all logged files
        force-md5: no     # force logging of md5 checksums
    #- drop:
    #    alerts: no       # log alerts that caused drops
     - smtp:
        #extended: yes # enable this for extended logging information
        # this includes: bcc, message-id, subject, x_mailer, user-agent
        # custom fields logging from the list:
        #  reply-to, bcc, message-id, subject, x-mailer, user-agent, received,
        #  x-originating-ip, in-reply-to, references, importance, priority,
        #  sensitivity, organization, content-md5, date
        #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc]
        # output md5 of fields: body, subject
        # for the body you need to set app-layer.protocols.smtp.mime.body-md5
        # to yes
        #md5: [body, subject]

    - ssh
    - stats:
        totals: yes       # stats for all threads merged together
        threads: no       # per thread stats
        deltas: no        # include delta values
    # bi-directional flows
    - flow
    # uni-directional flows
    #- netfl
Tags (2)
0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...