Installing Suricata and Filebeat on Centos and Shipping Suricata Logs to Elastic SIEM

Installing Suricata and Filebeat on Centos and Shipping Suricata Logs to Elastic SIEM

Suricata is one such NIDS solution, which is open source and can be quickly deployed either on dedicated hardware for monitoring one or more transit points on your network, or directly on existing Unix-like hosts to monitor just their own network traffic. Because Suricata is capable of generating JSON logs of NIDS events, it integrates beautifully with Elastic SIEM.

For the full video tutorial go to the bottom of the post.

Change Root

sudo su -

Install Epel-release wget jq

yum -y install epel-release wget jq

Curl the following URL

curl -O

Install Suricata

yum -y install suricata

Download the Suricata Rules


Extract Suricata Rules

tar zxvf emerging.rules.tar.gz

Remove the contents of the Directory that contains the initial rules

rm /etc/suricata/rules/* -f

Move the rules from the extract to the main directory

mv rules/*.rules /etc/suricata/rules/

Delete the suricata.yaml file

rm -f /etc/suricata/suricata.yaml

Download the suricata.yaml from this URL

wget -O /etc/suricata/suricata.yaml

Perform the following commands to get Suricata started

systemctl daemon-reload
systemctl enable suricata
systemctl start suricata

Test Suricata

Curl the following URL


Check the Suricata log

tail -n1 /var/log/suricata/fast.log

The following should be the result

08/21/2020-22:56:10.249355  [**] [1:2013028:4] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} ->


For setting up the Filebeat please follow the directions at the following URL of your Elastic SIEM instance.

For my instance I used Elastic cloud.

Share Tweet Send
You've successfully subscribed to Songer Tech
Great! Next, complete checkout for full access to Songer Tech
Welcome back! You've successfully signed in
Success! Your account is fully activated, you now have access to all content.