[Oisf-users] OT: A question about ELK and Suricata

[C. L. Martinez]

Hi all,

 After finish to setup all my Suricata IDS sensors, I need to install/deploy an ELK to visualize info collected by these sensors. Regarding this, due to ELK will be installed in a different host, I need to send sensor's logs to ELK via:

 a/ Using NFS: I can configure Suricata hosts as NFS servers to share logs with ELK host (using a private network)

 b/ Send Suricata logs using syslog to ELK host.

 c/ I can't use filebeat or any java based solution due to these suricata sensors are FreeBSD based (and java doesn't play really well under FreeBSD).


 My first option is b/. I can use rsyslog or syslog-ng to send logs to ELK host. But I have some doubts:

 1/ Rsyslog and syslog-ng supports json log format and can send logs directly to Elasticsearch host without using logstash. Is this a recommended option?
 2/ Queueing logs when Elasticsearch host is not available. How Elasticsearch hosts supports this type of incidence?


 And my last question: searching over the web to think about how to install and implement this solution, I see a lot of people use Elasticsearch 2.X/Logstash 2.X/Kibana 3.X or 4.X.. Any technical reason for not to use Elasticsearc/Logstash/Kibana 5??

Many thanks for your inputs.

-- 
Greetings,
C. L. Martinez