Suricata日志输出
作者:互联网
安装filebeat
配置filebeat.yml输出
# ============================== Filebeat inputs ===============================
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/suricata/fast-*.log # suricata告警日志
fields:
filename: fast
- type: log
enabled: true
paths:
- /var/log/suricata/eve-*.json # suricata所有流量日志
fields:
filename: eve
json.overwrite_keys: true
······
······
# ------------------------------ Logstash Output -------------------------------
output.logstash:
# The Logstash hosts
#hosts: ["localhost:514"]
hosts: ["10.10.10.1:514"]
suricata每天的eve.json日志量多大,按天保存,删除前一天的eve.json
进入/etc/cron.daily/
创建一个文件suricatalog
#!/bin/sh
ls /var/log/suricata/ | grep `date -d'1 days ago' +%Y-%m-%d` | xargs -i rm -f /var/log/suricata/{}
exit 0
标签:输出,log,suricata,eve,json,var,日志,Suricata 来源: https://blog.csdn.net/m0_55593211/article/details/117448298