How to send Suricata log to Kafka?

Question

After install and config Suricata 5.0.2 according to document https://suricata.readthedocs.io/.

I try to change some configuration in suricata.yaml by adding:

- alert-json-log:
      enabled: yes
      filetype: kafka
      kafka:
        brokers: > 
         xxx-kafka-online003:9092,
         xxx-kafka-online004:9092,
         xxx-kafka-online005:9092,
         xxx-kafka-online006:9092,
         xxx-kafka-online007:9092
        topic: nsm_event
        partitions: 5
      http: yes

Next I run Suricata, and receive the error Invalid entry for alert-json-log.filetype. Expected "regular" (default), "unix_stream", "pcie" or "unix_dgram"

I don't know to configure on Suricata to enable sending log to Kafka topics. Please help.

OneCricketeer · Answer 1 · 2020-05-02T17:17:20.770

1

I don't see Kafka listed as an output type, therefore "no, there is not"

Refer docs: https://suricata.readthedocs.io/en/suricata-5.0.2/output/index.html

Plus, I'm not sure I understand what you expect http: yes to do since Kafka is not an HTTP service

What you could do is set filetype: unix_stream, then I assume that is Syslog, and you can add another service like Kafka Connect or Fluentd or Logstash to route that data to Kafka.

In other words, services don't need to integrate with Kafka. Plenty of alternatives exist to read files or stdout/stderr/syslog streams

edited May 02 '20 at 17:17

answered Feb 18 '20 at 16:28

OneCricketeer

179,855
19
132
245

This doesn't answer the question "How to send Suricata log to Kafka?" This is more like a comment. – deko May 01 '20 at 19:39
1

@jallen0927 It is an answer. StackOverflow won't let me write "no, there isn't", though – OneCricketeer May 02 '20 at 17:16

How to send Suricata log to Kafka?

1 Answers1

Linked

Related