Question

How to import syslog into Suricata and Elastic Stack SIEM

Hello,

I followed the tutorial (https://www.digitalocean.com/community/tutorials/how-to-build-a-siem-with-suricata-and-elastic-stack-on-ubuntu-20-04). Thank you by the way for this very complete tutorial.

However, I can not find how to import log files into the SIEM coming from an external source (I have a Windows machine sending logs with nxlog, collected by rsyslog on the Ubuntu server).

I have tried configuring filebeat.yml (enabled the filebeat.inputs, and set the paths to /var/log/*/*.log) but this does not send any of the log files in this folder to the SIEM.

Could you please indicate to me what I am doing wrong? Is the import of log files in Suricata instead?

I would very much appreciate any help, I am a bit lost on this topic.

Thank you,

PS : please excuse me if I chose the wrong topic.

Submit an answer


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up