Comments on How to Install Suricata and Zeek IDS with ELK on Ubuntu 20.10

In this tutorial we will install and configure Suricata, Zeek, the ELK stack, and some optional tools on an Ubuntu 20.10 (Groovy Gorilla) server along with the Elasticsearch Logstash Kibana (ELK) stack.

10 Comment(s)

Add comment

Please register in our forum first to comment.

Comments

By: Joel Weinshank
Reply  

Miguel, thanks for including a link in this thorough post to Bricata's discussion on the pairing of Suricata and Zeek. This article is another great service to those whose needs are met by these and other open source tools. I look forward to your next post.

By: Adris
Reply  

Hi, maybe you do a tutorial to Debian 10 ELK and Elastic Security (SIEM)  because I try does not work. Only ELK on Debian 10 its works. There is differences in installation elk between Debian and ubuntu

Regards,AS

By: Adris
Reply  

Hi,

Miguel I do ELK with suricata and work but I have problem with Dashboard Alarm. On dashboard Event everything ok but on Alarm i have No results found and in my file last.log I have nothing. Before integration with ELK file fast.log was ok and contain entries. I have file .fast.log.swp i don't know whot is this. Mayby You know.

By: Miguel
Reply  

Ubuntu is a Debian derivative but a lot of packages are different. When I find the time I ill give it a go to see what the differences are.

By: Adris
Reply  

Miguel,

Everything is ok. Thanks for everything. I didn't update suricata rules :)

By: sk88
Reply  

hello,

in step tha i have to configure this i have the following erro:

 /usr/share/filebeat/bin/filebeat setup

Exiting: error loading config file: stat filebeat.yml: no such file or directory

filebeat test config:Config OK

 

also filebeat -e:

2021-06-12T15:30:02.621+0300 INFO instance/beat.go:665 Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]

2021-06-12T15:30:02.622+0300 INFO instance/beat.go:673 Beat ID: f2e93401-6c8f-41a9-98af-067a8528adc7

2021-06-12T15:30:02.633+0300 INFO instance/beat.go:410 filebeat stopped.

2021-06-12T15:30:02.633+0300 ERROR instance/beat.go:989 Exiting: data path already locked by another beat. Please make sure that multiple beats are not sharing the same data path (path.data).

 

Exiting: data path already locked by another beat. Please make sure that multiple beats are not sharing the same data path (path.data).

 

any idea?

By: Mic
Reply  

these instructions do not always work, produces a bunch of errors

By: chrisblekos
Reply  

are you sure that this works? because when im trying to connect logstash to elasticsearch it always says 401 error. Im using elk 7.15.1 version. 

Meanwhile if i send data from beats directly to elastic it work just fine. 

By: Mickael
Reply  

Too many errors in this howto.Totally unusable.Don't waste 1 hour of your life!

By: Luc
Reply  

Miguel, thanks for such a great explanation. My question is, what is the hardware requirement for all this setup, all in one single machine or differents machines?