Sending events to ElasticSearch

This profile configures Filebeat to read events from suricata events files and send them to an ElasticSearch cluster.

The profile has the following best-practices enabled:

• Filebeat is configured to send each event type to a different ElasticSearch Index, those indexes are:

  • suricata-alerts-%{+yyyy.MM.dd}: this index will contains the Suricata Alerts.

  • suricata-nsm-%{+yyyy.MM.dd}: this index will contains the NSM records.

  • suricata-stats-%{+yyyy.MM.dd}: contains the Suricata stats.

  • suricata-service-logs-%{+yyyy.MM.dd}: contains the suricata service logs.

• Filebeat is configured to automatically load index templates to the ElasticSearch cluster so that the alerts/events are stored correctly.

• The profile allows you to easily configure authentication if needed.