Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has already proven its position as a superior solution for storing and analyzing Suricata logs, offering unparalleled capabilities for security teams to gain deep insights into network traffic patterns and potential threats. Now, SC4S (Splunk Connect for Syslog) is changing the game by delivering faster, more reliable, and highly scalable Suricata log ingestion.
In this post, we will showcase a simple setup of Suricata with Splunk using SC4S.
Suricata is a high-performance, open-source network security monitoring system used primarily as an Intrusion Detection System (IDS), Intrusion Prevention System (IPS), and Network Security Monitoring (NSM) tool.
Suricata generates various log types, each serving specific monitoring purposes. For example, alert logs are generated when the system identifies threats. Flow logs include session data including duration and byte counts. File info logs contain extracted file metadata with names, types, sizes, and hashes.
Several Technology Add-ons (TAs) are available for Suricata log processing and analysis. Some of them are simple, lightweight solutions, while others are full-featured integrations with comprehensive dashboards.
Stamus dashboard. Source: https://splunkbase.splunk.com/app/5262
Refer to the Suricata documentation for installation instructions. For example, on Ubuntu, you can use the APT repositories:
sudo apt install software-properties-common
sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt update
sudo apt install suricata
Edit `/etc/suricata/suricata.yaml` to specify your network interface in the `af-packet` section.
First, identify the network interface name by running the following:
ip addr
In this example, the interface is `ens5`:
Then update the interface in the `af-packet` section:
Suricata uses Signatures to trigger alerts so it's necessary to install those and keep them updated.
sudo suricata-update
sudo systemctl restart suricata
EVE (Extensible Event Format) logs provide structured JSON output that's ideal for Splunk ingestion. Enable this in your Suricata configuration for rich, parseable log data:
Then restart the service:
sudo systemctl restart suricata
SC4S (Splunk Connect for Syslog) simplifies the ingestion process by automatically parsing and enriching Suricata logs. Designed specifically to handle syslog messages at scale, SC4S provides advanced features including filtering, parsing, load balancing, and disk-based buffering.
SC4S comes preconfigured with Splunk best practices: correct metadata, sourcetype assignment, index routing, and source tagging. Available as a container, it deploys easily in modern environments such as Kubernetes. The solution includes built-in health checks, metrics, and scalable deployment patterns. Thanks to syslog-ng's efficient C-based engine, SC4S handles high-throughput syslog ingestion with minimal resource usage.
Follow the Quickstart Guide in the SC4S documentation to launch an SC4S instance. The default configuration is ready to correctly parse and process Suricata logs out of the box.
Install a syslog daemon on the Suricata host and configure it to forward logs to your SC4S instance:
sudo apt install syslog-ng
# Configure destination in /etc/syslog-ng/syslog-ng.conf
destination d_net { tcp("your-sc4s-host" port(514) log_fifo_size(1000)); };
# Uncomment the following line in /etc/syslog-ng/syslog-ng.conf
log { source(s_src); destination(d_net); };
sudo systemctl enable syslog-ng
sudo systemctl start syslog-ng
In `suricata.yaml`, change the eve-log filetype from regular to syslog:
Then restart the service:
sudo systemctl restart suricata
Check that logs are properly sourcetyped and parsed out of the box:
While most TAs are compatible with the default sourcetypes, some may require simple sourcetypes.
In `/opt/sc4s/env_file`, add:
SC4S_SURICATA_SIMPLE_SOURCETYPE=yes
Then run:
sudo systemctl restart sc4s
Notice that compound sourcetypes such as ‘suricata:flow’, ‘suricata:dns’, etc. have been replaced with a simple sourcetype `suricata`.
For optimal performance with some TAs (like `CCX Add-on for Suricata`), enable acceleration for these data models:
Go to `Settings` -> `Data Models`. For each listed model, click `Edit` -> `Edit Acceleration` -> `Accelerate`.
Go to `Apps` and select your TA to view its reports and dashboards.
For example with `CCX Add-on for Suricata`:
Or Stamus:
Integrating Suricata with Splunk through SC4S creates a robust network security monitoring solution. The combination of Suricata's powerful detection capabilities, SC4S's efficient log processing, and Splunk's analytical power provides comprehensive visibility into your network security posture.
Whether you're just starting with network security monitoring or looking to enhance your existing capabilities, this integration offers a proven path to improved threat detection and incident response.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.