0

I configured suricata.yaml to obtain the pcap output, and I need send it to Kafka. In suricata document, there is nothing about the configuration to send to kafka. How can I send directly pcap output to kafka? Could kafka listen to suricata output? Or Do I have to use additional tool between them?

Thanks.

Tran Ngoc Nhat Huyen
  • 1
  • 1
  • Welcome to Stack Overflow! Take a look at how we do things at stackoverflow.com/help. You may want to edit your question (button at the bottom) so that it conforms more closely with [how to ask](https://stackoverflow.com/help/how-to-ask). – Ross Jacobs Apr 06 '20 at 18:52

1 Answers1

0

Kafka doesn't "listen" to anything but its own client protocols. You will need to write your own Kafka producer process for this, I bet.

For example, Filebeat is an option.

Personally, I would look into NiFi for parsing and transforming PCAP data, prior to Kafka, though, as this is what Apache Metron does

OneCricketeer
  • 179,855
  • 19
  • 132
  • 245