Collect Suricata Eve logs

Supported in:

This document describes how you can view SURICATA_EVE logs in Google Security Operations.

The following deployment architecture diagram shows how SURICATA_EVE and Logstash are configured to send logs to Google Security Operations.

Deployment architecture

  1. Suricata saves data to an eve.json file.
  2. Logstash watches the eve.json file and forwards new logs to a syslog server. The syslog server can be a forwarder on the same VM or on a separate VM.
  3. The syslog server uses the Google Security Operations forwarder to listen for new logs over a specific port.
  4. The Google Security Operations forwarder forwards the logs to a Google Security Operations instance.

Before you begin

  • Ensure that you have set up access control for your organization and resources using Identity and Access Management (IAM). For more information about access control, see Access control for organizations with IAM.

  • Ensure that all systems in the deployment architecture are configured in the UTC time zone.

  1. Create an internal network load balancer.

  2. Set up packet mirroring.

  3. Install Suricata and confirm that alerts are being saved to the eve.json file. Note where the eve.json file is located.

  4. Install Logstash on the Suricata server.

  5. Edit the Logstash configuration file (/etc/logstash/conf.d/logstash.conf):

    a. Add the following code:

    • Change SYSLOG_SERVER to the location of your syslog server.
    • Make sure the port number (in this example, 10520) matches the port number in the Google Security Operations forwarder configuration.
    input {
      file {
          path => "/var/log/suricata/eve.json"
           start_position => "end"
           sincedb_path => "/dev/null"
       }
    }
    output {
       udp {
           host => "SYSLOG_SERVER"
           port => 10520
           codec => line { format => "%{message}"}
       }
    }

    b. Change the output.udp.host IP address:

    • If the Google Security Operations forwarder is on a different system than the syslog server, use the IP address of the syslog server.

    • If the Google Security Operations forwarder is on the same system as the syslog server, use an internal IP address.

You can use another log forwarder solution, such as rsyslog, with a configuration that removes the syslog header.

Ingest the SURICATA_EVE logs

Follow the instructions in Ingest Google Cloud logs to Google Security Operations.

If you encounter issues when ingesting SURICATA_EVE logs, contact Google Security Operations support.

For more information about how Google Security Operations ingests data, see Data ingestion to Google Security Operations overview.