April 17, 2014
After having fun with Suricata's new eve/json logging format and the Logstash/Elastic Search/Kibana combination (see this and this), I wanted to get my Snort events into Elastic Search as well. Using my idstools python library I wrote u2json, a tool that will process a unified2 spool directory (much like barnyard) and convert the events to Suricata-style JSON.
Usage is relatively simple, assuming Snort is logging to /var/log/snort, the following command line should do:
idstools-u2json -c /etc/snort/snort.conf
--directory /var/log/snort
--prefix unified2.log
--follow --bookmark
--output /var/log/snort/alerts.json
As the output is in the same format as Suricata's you can refer to this guide for the Logstash setup.
One extra step I did was use Logstash to add an "engine" field to each entry. This can be accomplished by adapting the following Logstash configuration:
input {
file {
path => ["/var/log/suricata/eve.json"]
codec => json
type => "suricata-json"
}
file {
path => ["/var/log/snort/alerts.json"]
codec => json
type => "snort-json"
}
}
filter {
if [type] == "suricata-json" {
mutate {
add_field => {
"engine" => "suricata"
}
}
}
if [type] == "snort-json" {
mutate {
add_field => {
"engine" => "snort"
}
}
}
}
Checkout out the documentation for information.