ELK汇集suricata、slips数据

1.编辑filebeat

1.配置filebeat.yml
filebeat.inputs:
  - type: filestream
    id: slips-alerts
    enabled: true
    paths:
      - /opt/slips/output/**/alerts.json
      - /opt/slips/output/alerts.json
    fields:
      event.module: slips
      slips.format: idea0
      observer.ip: 10.10.10.2
    fields_under_root: true
  - type: filestream
    id: suricata-eve
    enabled: true
    paths:
      - /usr/local/soft/suricata/var/log/suricata/eve.json
    parsers:
      - ndjson:
          target: ""
          add_error_key: true
    fields:
      event.module: suricata
      observer.name: suricata-10.10.10.2
      observer.ip: 10.10.10.2
    fields_under_root: true

output.logstash:
  hosts: ["10.10.10.1:5044"]

2.使配置生效
filebeat test config
filebeat test output
systemctl restart filebeat

2.编辑logstash

1.配置ingest-beats.conf
input {
  beats { port => 5044 }
}
filter {
  # Suricata：filebeat 已 ndjson 解开，直接用 timestamp 覆盖 @timestamp
  if [event][module] == "suricata" {
    if [timestamp] {
      date {
        match  => ["timestamp", "ISO8601"]
        target => "@timestamp"
      }
    }
    mutate {
      add_field => { "pipeline" => "suricata" }
    }
  }
  else if [event][module] == "slips" {
    mutate { add_field => { "pipeline" => "slips" } }
  }
}
output {
  # === Suricata 输出 ===
  if [event][module] == "suricata" {
    elasticsearch {
      hosts => ["https://10.10.10.1:9200"]
      data_stream => true
      data_stream_type => "logs"
      data_stream_dataset => "suricata.eve"
      data_stream_namespace => "default"
      ecs_compatibility => "v8"
      ssl_enabled => true
      ssl_certificate_authorities => ["/etc/logstash/certs/http_ca.crt"]
      user => "elastic"
      password => "jq5SSXIrIUXW=xDUWQRP"
    }
  }
  # === Slips 输出 ===
  else if [event][module] == "slips" {
    elasticsearch {
      hosts => ["https://10.10.10.1:9200"]
      data_stream => false
      index => "slips-alerts-%{+YYYY.MM.dd}"
      ssl_enabled => true
      ssl_certificate_authorities => ["/etc/logstash/certs/http_ca.crt"]
      user => "elastic"
      password => "jq5SSXIrIUXW=xDUWQRP"
    }
  }
}

2.使配置生效
sudo -u logstash /usr/share/logstash/bin/logstash --path.settings /etc/logstash -t
systemctl restart logstash

3.编辑ElasticSearch索引

1.给suricata索引设定副本/分片模板
PASS='jq5SSXIrIUXW=xDUWQRP'
curl -k -u elastic:$PASS -X PUT "https://10.10.10.1:9200/_index_template/suricata-eve-template" \
  -H 'Content-Type: application/json' \
  -d '{
    "index_patterns": ["suricata-eve-*"],
    "template": { "settings": { "number_of_shards": 1, "number_of_replicas": 0 } },
    "priority": 500
  }' 

2.查看生成的suricata-eve索引
PASS='jq5SSXIrIUXW=xDUWQRP'
curl -k -u elastic:$PASS "https://10.10.10.1:9200/_cat/indices/suricata-eve-*?v&s=index"

3.查看data streams
curl -k -u elastic:$PASS "https://10.10.10.1:9200/_data_stream?pretty" | head -n 120
curl -k -u elastic:$PASS "https://10.10.10.1:9200/logs-suricata.eve-default/_count?pretty"