Adding Elastic Suricata Integration version 2.24.0 to Security Onion v2.4.141

[fullerms]

Version

2.4.141

Installation Method

Security Onion ISO image

Description

other (please provide detail below)

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Meets minimum requirements

CPU

4

RAM

32

Storage for /

256GB

Storage for /nsm

500GB

Network Traffic Collection

span port

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

Yes, there are additional clues in /opt/so/log/ (please provide detail below)

Detail

Hi all,
(I am aware that SO can integrate with a remote deployment of Suricata, but its a bit too advanced for me now)

I am trying to integrate Opnsense-Suricata logs into SO so I can see the logs in Kibana dashboards. I have already setup the pfsense integration, and Unbound / Firewall dashboards are being populated. But no luck with Suricata, and I beleive I need to install the Elastic-Suricata integration to extract Suricata information from the Syslog stream.

The Suricata integration installed with SO appears to be an old Filebeats version which is no longer supported. How do I install the current version of the Elastic-Suricata integration which will then process the incoming syslog messages from Opnsense?

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[fullerms]

This post indicates that all elastic integrations will be available from SO version 2.4.130

I'm running SO version v2.4.141, but the current version of the Suricata integration is not installed. What am I missing?

[cm-ops]

Thanks, you are probably right, they are coming in as syslog and not getting to the Suricata pipeline for processing. Can you show me what a full message looks like? Redacted if necessary.

[fullerms]

@cm-ops

The screen shot I posted above is all that I can see from a NAS which I used as a Syslog viewer for testing. I checked Data Discovery in Kibana, but the view there appears to be processed and is tagged with Unbound or Firewall.

How do I view the actual syslog message in SO?

Edit: I poked around Elastic --> Discover --> Security Onion - All Logs

Data View: logs-*
I see Unbound and Firewall in the event.provider field, but Suricata is not present.

There is an ingest pipeline called logs-pfsense.log-1.21.0-suricata, but I am not sure what it does and how to check if it works

[cm-ops]

If you are in SOC, you can go to Dashboards and select the Syslog dashboard or in Hunt, select Syslog, open one of the events and add the message field to a groupby to see them in group metrics.

Below is what that ingest pipeline is. My guess is the logs aren't being seen as Suricata and not making it past logs-pfsense.log-1.21.0 pipeline.

[root@so-managersearch ~]# so-elasticsearch-pipeline-view logs-pfsense.log-1.21.0-suricata
{
  "description": "Pipeline for parsing pfSense Suricata logs.",
  "processors": [
    {
      "set": {
        "field": "event.module",
        "value": "suricata"
      }
    },
    {
      "pipeline": {
        "name": "suricata.common_pfsense"
      }
    }
  ],
  "on_failure": [
    {
      "set": {
        "field": "event.kind",
        "value": "pipeline_error"
      }
    },
    {
      "append": {
        "field": "error.message",
        "value": "{{{ _ingest.on_failure_message }}}"
      }
    }
  ],
  "_meta": {
    "managed_by": "fleet",
    "managed": true,
    "package": {
      "name": "pfsense"
    }
  }
}

[fullerms]

If you are in SOC, you can go to Dashboards and select the Syslog dashboard or in Hunt, select Syslog, open one of the events and add the message field to a groupby to see them in group metrics.

Nope, nothing to see there :(

I guess I will have to wait until the suricata integration is upgraded to the Elastic Agents version in SO

[fullerms]

@cm-ops I was able to capture the syslog traffic on the Opnsense device and then export it. Here are two sample Suricata log messages converted to text from the Opnsense Syslog Stream.

<173>1 2025-05-24T19:38:00+10:00 device_name_snipped suricata 37296 - [meta sequenceId="2"] [Drop] [1:2047703:1] ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI [Classification: Misc activity] [Priority: 3] {TCP} source_redacted-> destination_redacted

<173>1 2025-05-25T00:00:33+10:00 device_name_snipped suricata 37296 - [meta sequenceId="32"] [Drop] [1:2046656:1] ET INFO Commonly Abused File Sharing Domain (wasabisys .com) in DNS Lookup [Classification: Misc activity] [Priority: 3] {UDP} source_redacted-> destination_redacted