suricata-logs Log Parser

This parser supports both formats :

the JSON eve.json format (type: suricata-evelogs)
the text fast.log format (type: suricata-fastlogs)

The parser only parses logs that are alerts.

1onsuccess: next_stage

2filter: "evt.Parsed.program == 'suricata-fastlogs'"

3name: crowdsecurity/suricata-fastlogs

4description: "Parse suricata fast.log"

5pattern_syntax:

6 SURICATA_MARKER: '\[\*\*\]'

7 SURICATA_DATE: '%{DATE_US:date}-%{TIME:time}'

8 SURICATA_RULE_ID: '\[%{NUMBER:suricata_rule_severity}:%{NUMBER:rule_id}:%{NUMBER:suricata_alert_signature_rev}\]'

9grok:

10 pattern: '%{SURICATA_DATE} %{SURICATA_MARKER} %{SURICATA_RULE_ID} %{DATA:suricata_alert_signature} %{SURICATA_MARKER} \[Classification: %{DATA:suricata_classification}\] \[Priority: %{NUMBER:suricata_priority}\] \{%{DATA:proto}\} %{IP:source_ip}:%{NUMBER:source_port} \-> %{IP:dest_ip}:%{NUMBER:dest_port}'

11 apply_on: message

12statics:

13 - meta: service

14 value: suricata

15 - meta: log_type

16 value: suricata_alert

17 - meta: sub_log_type

18 value: suricata_alert_fast_log

19 #we build back RFC3339 format

20 - target: evt.Parsed.suricata_timestamp

21 expression: evt.Parsed.date + ' ' + evt.Parsed.time

22 - target: evt.StrTime

23 expression: evt.Parsed.date + ' ' + evt.Parsed.time

24 - meta: suricata_alert_signature_id

25 expression: evt.Parsed.rule_id

26 - meta: suricata_rule_severity

27 expression: evt.Parsed.suricata_rule_severity

28 - meta: source_ip

29 expression: evt.Parsed.source_ip

30---

31onsuccess: next_stage

32filter: |

33 evt.Parsed.program == "suricata-evelogs" && JsonExtract(evt.Parsed.message, "event_type") == "alert"

34name: crowdsecurity/suricata-evelogs

35description: "Parse suricata eve.json logs"

36pattern_syntax:

37 SURICATA_EVE_TS: '%{TIMESTAMP_ISO8601:time}'

38nodes:

39 - grok:

40 pattern: '%{SURICATA_EVE_TS:time}(\-|\+)%{INT}'

41 expression: JsonExtract(evt.Parsed.message, "timestamp")

42statics:

43 - meta: service

44 value: suricata

45 - meta: log_type

46 value: suricata_alert

47 - meta: sub_log_type

48 value: suricata_alert_eve_json

49 - target: evt.StrTime

50 expression: evt.Parsed.time + 'Z'

51 - target: evt.Meta.suricata_flow_id

52 expression: JsonExtract(evt.Parsed.message, "flow_id")

53 - target: evt.Meta.source_ip

54 expression: JsonExtract(evt.Parsed.message, "src_ip")

55 - target: evt.Parsed.dest_ip

56 expression: JsonExtract(evt.Parsed.message, "dest_ip")

57 - target: evt.Parsed.dest_port

58 expression: JsonExtract(evt.Parsed.message, "dest_port")

59 - target: evt.Parsed.proto

60 expression: JsonExtract(evt.Parsed.message, "proto")

61 - target: evt.Meta.suricata_alert_signature_id

62 expression: JsonExtract(evt.Parsed.message, "alert.signature_id")

63 - target: evt.Parsed.suricata_alert_signature_rev

64 expression: JsonExtract(evt.Parsed.message, "alert.rev")

65 - target: evt.Parsed.suricata_alert_signature

66 expression: JsonExtract(evt.Parsed.message, "alert.signature")

67 - target: evt.Meta.suricata_rule_severity

68 expression: JsonExtract(evt.Parsed.message, "alert.severity")

Hub configuration

« suricata-logs »
v0.6 by crowdsecurity
Log parser

Hub configuration

« suricata-logs »v0.6 by crowdsecurityLog parser

« suricata-logs »
v0.6 by crowdsecurity
Log parser