Collect Suricata Eve logs
This document describes how you can view SURICATA_EVE logs in Google Security Operations.
The following deployment architecture diagram shows how SURICATA_EVE and Logstash are configured to send logs to Google Security Operations.
- Suricata saves data to an
eve.json
file. - Logstash watches the
eve.json
file and forwards new logs to a syslog server. The syslog server can be a forwarder on the same VM or on a separate VM. - The syslog server uses the Google Security Operations forwarder to listen for new logs over a specific port.
- The Google Security Operations forwarder forwards the logs to a Google Security Operations instance.
Before you begin
Ensure that you have set up access control for your organization and resources using Identity and Access Management (IAM). For more information about access control, see Access control for organizations with IAM.
Ensure that all systems in the deployment architecture are configured in the UTC time zone.
Configure Suricata and related software
Create an internal network load balancer.
Set up packet mirroring.
Install Suricata and confirm that alerts are being saved to the
eve.json
file. Note where theeve.json
file is located.Install Logstash on the Suricata server.
Edit the Logstash configuration file (
/etc/logstash/conf.d/logstash.conf
):a. Add the following code:
- Change
SYSLOG_SERVER
to the location of your syslog server. - Make sure the port number (in this example,
10520
) matches the port number in the Google Security Operations forwarder configuration.
input { file { path => "/var/log/suricata/eve.json" start_position => "end" sincedb_path => "/dev/null" } } output { udp { host => "SYSLOG_SERVER" port => 10520 codec => line { format => "%{message}"} } }
b. Change the
output.udp.host
IP address:If the Google Security Operations forwarder is on a different system than the syslog server, use the IP address of the syslog server.
If the Google Security Operations forwarder is on the same system as the syslog server, use an internal IP address.
- Change
You can use another log forwarder solution, such as rsyslog, with a configuration that removes the syslog header.
Ingest the SURICATA_EVE logs
Follow the instructions in Ingest Google Cloud logs to Google Security Operations.
If you encounter issues when ingesting SURICATA_EVE logs, contact Google Security Operations support.
For more information about how Google Security Operations ingests data, see Data ingestion to Google Security Operations overview.