Support #2660
closedstructing fast.log and store to elasticsearch
Description
As we all know that eve.json can be outputed as json to redis. Then logstash can be used to pull the structured data from redis to elasticsearch.
And I still need to store the fast.log to elasticsearch. How can I structuring fast.log and output the structed data to elasticsearch?
Updated by Victor Julien about 6 years ago
out of curiosity: why would you want this? The eve.alert records are trivial to pass to ES, with fast.log you will need to some kind of parsing before passing it to ES somehow
Updated by Hao Han about 6 years ago
Victor Julien wrote:
out of curiosity: why would you want this? The eve.alert records are trivial to pass to ES, with fast.log you will need to some kind of parsing before passing it to ES somehow
Thanks your replies. We want to visualize suricata's alerts with kibana.
Updated by Victor Julien almost 6 years ago
I not sure I understand why you wouldn't just use the EVE alert records for this.
Updated by Bryant Smith over 5 years ago
If you are still looking for a solution here, splitting out the alert might be helpful. the eve.json will be much easier to implement in an ELK stack and this way you can send it only the alerts if that is what you are looking for.
outputs:
- eve-log:
enabled: yes
type: file
filename: eve-ips.json
types:
- alert
- drop