[Oisf-users] OT: A question about ELK and Suricata

C. L. Martinez carlopmart at gmail.com
Thu Apr 6 13:16:00 UTC 2017 

ELK host is RHEL 7.3 based ... Suricata sensors are FreeBSD based.

On Thu, Apr 06, 2017 at 09:11:27AM -0400, Michael Shirk wrote:
> Currently in the FreeBSD ports tree, elasticsearch, logstash and kibana are
> all up to version 5, so are you using these ports in your setup?
> 
> --
> Michael Shirk
> Daemon Security, Inc.
> http://www.daemon-security.com
> 
> On Apr 6, 2017 9:04 AM, "Oliver Humpage" <oliver at watershed.co.uk> wrote:
> 
> >
> > > On 6 Apr 2017, at 13:46, C. L. Martinez <carlopmart at gmail.com> wrote:
> > >
> > > And my last question: searching over the web to think about how to
> > install and implement this solution, I see a lot of people use
> > Elasticsearch 2.X/Logstash 2.X/Kibana 3.X or 4.X.. Any technical reason for
> > not to use Elasticsearc/Logstash/Kibana 5??
> >
> > ELK’s been undergoing a lot of change recently, and it can be quite hard
> > work to update the stack due to breaking changes. If you’re starting from
> > scratch, though, you’re probably OK to use the latest. (We also run all the
> > ELK stuff on FreeBSD, even the Java-based bits - it’s not that bad!)
> >
> > As for remote logging... this is general advice rather than
> > suricata-specific, but we’ve found RabbitMQ to be a very good solution. If
> > a host’s software already has a RabbitMQ plugin (eg pmacct) then it talks
> > directly to the logging cluster’s RabbitMQ servers. If not, we use some
> > very basic logstash instances in the cluster to receive logs and put them
> > straight into RabbitMQ.
> >
> > Then some more complicated logstash processes (i.e. with all the
> > filters/munging/etc) take messages out of the queue and pump into
> > ElasticSearch.
> >
> > This all seems to be pretty robust, and also allows for easy
> > changes/upgrades to the logstash/ES instances without losing any log lines.
> >
> > HTH
> >
> > Oliver.
> >
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >

-- 
Greetings,
C. L. Martinez

More information about the Oisf-users mailing list