其他分享
首页 > 其他分享> > Suricata日志输出

Suricata日志输出

作者:互联网

安装filebeat

配置filebeat.yml输出

# ============================== Filebeat inputs ===============================

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /var/log/suricata/fast-*.log  # suricata告警日志
  fields:
    filename: fast

- type: log
  enabled: true
  paths:
    - /var/log/suricata/eve-*.json  # suricata所有流量日志
  fields:
    filename: eve
  json.overwrite_keys: true

······
······

# ------------------------------ Logstash Output -------------------------------
output.logstash:
  # The Logstash hosts
  #hosts: ["localhost:514"]
  hosts: ["10.10.10.1:514"]

suricata每天的eve.json日志量多大,按天保存,删除前一天的eve.json
进入/etc/cron.daily/创建一个文件suricatalog

#!/bin/sh

ls /var/log/suricata/ | grep `date -d'1 days ago' +%Y-%m-%d` | xargs -i rm -f /var/log/suricata/{}

exit 0

标签:输出,log,suricata,eve,json,var,日志,Suricata
来源: https://blog.csdn.net/m0_55593211/article/details/117448298