Wazuh Suricata configuration
825 views
Skip to first unread message
Allan Patrick
Sep 1, 2022, 2:49:38 PM9/1/22
to Wazuh mailing list
Hello, what would be the best practice to avoid excessive log submissions?
<localfile>
<log_format>snort-full</log_format>
<location>/var/log/suricata/fast.log</location>
</localfile>
or
<localfile>
<log_format>json</log_format>
<location>/var/log/suricata/eve.json</location>
</localfile>
I think in the eve.json format there is a lot more data, with more delay.
Thanks
<localfile>
<log_format>snort-full</log_format>
<location>/var/log/suricata/fast.log</location>
</localfile>
or
<localfile>
<log_format>json</log_format>
<location>/var/log/suricata/eve.json</location>
</localfile>
I think in the eve.json format there is a lot more data, with more delay.
Thanks
Ariel Ojeda
Sep 1, 2022, 4:05:40 PM9/1/22
to Wazuh mailing list
Hi!
I hope you are well today and thank you for using the Wazuh Community!
About your question,
The JSON log format is almost always preferred over other formats, as Wazuh has a default JSON decoder, so there is no need to write custom decoders for these logs, as is sometimes the case with other log formats.
In the case of Suricata logs, the JSON logs include much more information and this can be very useful when analyzing the alerts in the Wazuh-dashboard, or when writing custom rules.
Please note that by default, Wazuh only writes alerts for events that are matched by rules of level 3 or higher (default value), not necessarily every log sent to Wazuh will be written to the alerts.json file or be indexed in the Wazuh-indexer.
There is a tool in Wazuh that you can use to check if the logs you want to ingest will be decoded or not with the default decoders or if you will need to write a custom one. This tool also lets you know if a rule would be matched or if you will need to write a custom rule to generate alerts for these events. This could probably help you determine if the default Suricata log format would provide enough information for your needs or if you would still prefer to use the recommended JSON format.
I hope you are well today and thank you for using the Wazuh Community!
About your question,
The JSON log format is almost always preferred over other formats, as Wazuh has a default JSON decoder, so there is no need to write custom decoders for these logs, as is sometimes the case with other log formats.
In the case of Suricata logs, the JSON logs include much more information and this can be very useful when analyzing the alerts in the Wazuh-dashboard, or when writing custom rules.
Please note that by default, Wazuh only writes alerts for events that are matched by rules of level 3 or higher (default value), not necessarily every log sent to Wazuh will be written to the alerts.json file or be indexed in the Wazuh-indexer.
There is a tool in Wazuh that you can use to check if the logs you want to ingest will be decoded or not with the default decoders or if you will need to write a custom one. This tool also lets you know if a rule would be matched or if you will need to write a custom rule to generate alerts for these events. This could probably help you determine if the default Suricata log format would provide enough information for your needs or if you would still prefer to use the recommended JSON format.
Here you can find more information about ingesting Suricata logs in Wazuh:
I hope this information is helpful,
Ariel.
Allan Patrick
Sep 1, 2022, 4:29:16 PM9/1/22
to Wazuh mailing list
Very thanks.
in summary the format below would be the best?
<localfile>
<log_format>json</log_format>
<location>/var/log/suricata/eve.json</location>
</localfile>
Does it use wazuh rules to classify block, suricata or two?
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/011feb87-5f70-4bcc-bbaa-e3c8820152b3n%40googlegroups.com.
Ariel Ojeda
Sep 5, 2022, 10:19:23 AM9/5/22
to Wazuh mailing list
Hi!
Yes, that is the correct configuration for the JSON logs. Regarding your question about the rules, you can click the following link to see the default Wazuh rules for Suricata events:
As mentioned before, you can use the Wazuh ruletest tool to verify if a given event will be captured by a default rule. If that is not the case, you can write your own rules for them, click the following link to get more information:
I hope this helps!
Ariel.
Reply all
Reply to author
Forward
0 new messages