Update suricata.conf

mjabascal10 · web-flow · commit 02a6ac3ef6f9 · 2025-08-19T17:13:49.000-05:00
diff --git a/filters/suricata/suricata.conf b/filters/suricata/suricata.conf
@@ -1,6 +1,6 @@
 filter {
 
-# Suricata filter version 1.0.0
+# Suricata filter version 1.0.4
 # Based on https://suricata.readthedocs.io/en/latest/output/eve/eve-json-format.html (latest 8.0.0) (august 2025)
 # and real events log provided
 # Support json format
@@ -24,11 +24,27 @@ filter {
     }
 
     if ![dataType] {
-      if [path] and [path] == "/var/log/suricata/eve.json" {
-          if [message] {
-            json { source => "message" }
+      # Parse Suricata logs from syslog
+      if [message] =~ /suricata\[\d+\]:.*event_type/ {
+        grok {
+          match => {
+            "message" => "<%{POSINT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_timestamp} %{HOSTNAME:syslog_host} %{PROG:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:suricata_json}"
           }
-          if [event_type] and ([event_type] == "anomaly" or [event_type] == "tls" or [event_type] == "flow" 
+          tag_on_failure => ["_grokparsefailure_suricata"]
+        }
+        
+        if [suricata_json] {
+          json { 
+            source => "suricata_json"
+          }
+          mutate {
+            remove_field => ["suricata_json", "syslog_pri", "syslog_timestamp", "syslog_program", "syslog_pid"]
+          }
+        }
+
+      
+      # Process all Suricata event types (from both syslog and file)
+      if [event_type] and ([event_type] == "anomaly" or [event_type] == "tls" or [event_type] == "flow" 
           or [event_type] == "alert" or [event_type] == "dns" or [event_type] == "ssh" 
           or [event_type] == "http" or [event_type] == "ftp" or [event_type] == "ftp_data" 
           or [event_type] == "tftp" or [event_type] == "smb" or [event_type] == "initial_request" 
@@ -49,20 +65,36 @@ filter {
                   rename => ["src_port", "[logx][suricata][src_port]"]
                   rename => ["tx_id", "[logx][suricata][tx_id]"]
               }
+      }
+      
+      # Set dataSource from syslog_host or host
+      if (![dataSource]){
+        if [syslog_host] {
+          mutate {
+            add_field => { "dataSource" => "%{syslog_host}" }
           }
-          if (![dataSource]){
-            mutate {
-              add_field => { "dataSource" => "%{host}" }
-            }
-          }
-          
+        } else if [host] {
           mutate {
-              add_field => {
-                  "dataType" => "suricata"
-              }
-              remove_field => [ "timestamp", "type", "path"]
-              rename => ["event_type", "[logx][suricata][event_type]"]
+            add_field => { "dataSource" => "%{host}" }
+          }
+        }
+      }
+      
+      # Clean up syslog_host field after using it
+      if [syslog_host] {
+        mutate {
+          remove_field => ["syslog_host"]
+        }
+      }
+      
+      # Add dataType and clean up fields
+      mutate {
+          add_field => {
+              "dataType" => "suricata"
           }
+          remove_field => [ "timestamp", "type", "path"]
+          rename => ["event_type", "[logx][suricata][event_type]"]
+      }
           if [tls] {
               mutate {
                   rename => ["tls", "[logx][suricata][tls]"]
@@ -374,5 +406,9 @@ filter {
             }
           }
       }
+      # Remove fields that are not needed
+      mutate {
+        remove_field => ["original_log_message", "suricata_json"]
+      }
     }
 }
