Snort, Logstash, Elastic Search and Kibana...

After having fun with Suricata's new eve/json logging format and the Logstash/Elastic Search/Kibana combination (see this and this), I wanted to get my Snort events into Elastic Search as well.  Using my idstools python library I wrote u2json, a tool that will process a unified2 spool directory (much like barnyard) and convert the events to Suricata-style JSON.

Usage is relatively simple, assuming Snort is logging to /var/log/snort, the following command line should do:

  idstools-u2json -c /etc/snort/snort.conf \
    --directory /var/log/snort
    --prefix unified2.log
    --follow --bookmark
    --output /var/log/snort/alerts.json

As the output is in the same format as Suricata's you can refer to this guide for the Logstash setup.

One extra step I did was use Logstash to add an "engine" field to each entry.  This can be accomplished by adapting the following Logstash configuration:

input {
  file {
    path => ["/var/log/suricata/eve.json"]
    codec => json
    type => "suricata-json"
  }
  file {
    path => ["/var/log/snort/alerts.json"]
    codec => json
    type => "snort-json"
  }
}

filter {
  if [type] == "suricata-json" {
    mutate {
      add_field => {
        "engine" => "suricata"
      }
    }
  }

  if [type] == "snort-json" {
    mutate {
      add_field => {
        "engine" => "snort"
      }
    }
  }
}

Checkout out the documentation for information.