Show pagesourceOld revisionsBacklinksBack to top Share via Share via... Twitter LinkedIn Facebook Pinterest Telegram WhatsApp Yammer RedditRecent ChangesSend via e-MailPrintPermalink × Table of Contents Web interface for Suricata on NethServer 7 Enable eve-log Install ELK stack Configure Logstash Kibana Templates for Suricata EveBox Scirius Web interface for Suricata on NethServer 7 Subtitle: How To install and configure Web interface on ELK stack for Suricata Version and revision: V1.0 / R 0.0. For Nethserver 7 Accessible to: Intermediate / Advanced / Developer Date of presentation: 2016-09-14 Enable eve-log config setprop suricata EveLog yes signal-event nethserver-suricata-update Install ELK stack How To Install Elasticsearch, Logstash, and Kibana (ELK Stack) on NethServer 7 Configure Logstash Edit Logstash configuration file vi /etc/logstash/conf.d/logstash.conf input { file { path => ["/var/log/suricata/eve.json"] codec => json type => "eve-json" add_field => ["engine", "suricata"] sincedb_path => "/tmp/.sincedb_eve" } } filter { if [type] == "eve-json" { date { match => [ "timestamp", "ISO8601" ] } } if [event_type] == "alert" { mutate { add_tag => ["inbox"] } } if [src_ip] { geoip { source => "src_ip" target => "geoip" add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ] add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ] } mutate { convert => [ "[geoip][coordinates]", "float" ] } } } output { stdout { codec => rubydebug } elasticsearch {} } systemctl restart logstash Kibana Templates for Suricata You can find Kibana templates here https://github.com/StamusNetworks/KTS. To get them work, you need to install the timelion plug-in of kibana via the following command /opt/kibana/bin/kibana plugin -i elastic/timelion EveBox To launch EveBox, download it and execute it: cat > /etc/yum.repos.d/evebox.repo << EOF [bintraybintray-jasonish-evebox-development-rpm-x86_64] name=bintray-jasonish-evebox-development-rpm-x86_64 baseurl=https://dl.bintray.com/jasonish/evebox-development-rpm-x86_64 gpgcheck=0 repo_gpgcheck=0 enabled=1 EOF yum -y install evebox systemctl start evebox To start EveBox at boot systemctl enable evebox Open EveBox port from local networks: config set fw_evebox service status enabled TCPPort 5636 access private signal-event firewall-adjust Scirius Scirius https://github.com/StamusNetworks/scirius is a web interface dedicated to Suricata ruleset management yum -y install python-pip python-devel git gcc git clone https://github.com/StamusNetworks/scirius.git cd scirius/ Install required python modules pip install -r requirements.txt pip install pyinotify pip install gitdb python manage.py syncdb python manage.py runserver python manage.py runserver 0.0.0.0:8000 Open Scirius port from local networks: config set fw_scirius service status enabled TCPPort 8000 access private signal-event firewall-adjust Delete Network Services [if the Webinterface not work or not be liked] config delete fw_evebox config delete fw_scirius config delete fw_kibana userguide, ht gateway userguide/web_interface_for_suricata.txt Last modified: 2017/06/05 19:52by Aaron