Skip to content

Configure Suricata to send alerts to LogSentinel SIEM

To send alerts to LogSentinel SIEM, you must first configure a syslog integration.

You must have access to the Suricata device and have the permissions to write to configuration files and to restart services.

Ensure that rsyslog is installed on the system where Suricata is running.

  1. Log in to the Suricata device.
  2. Open the Suricata configuration file suricata.yaml, found in the Suricata installation directory.
  3. Update the eve-log entry under the outputs header. Use the following example:

    outputs:
      - eve-log:
        enabled: yes
        filetype: syslog
        identity: “suricata”
        facility: local0
        types:
          - alert:
4. Open the rsyslog configuration file /etc/rsyslog.conf and add a forwarding rule to send the alerts to LogSentinel SIEM. Use the following example: 
local0.* @@<LogSentinel IP/hostname>:<port>

The is the IP or hostname of the LogSentinel Collector or LogSentinel server that you want to send logs to. The port is the corresponding port that you have configured (2516/1516 by default for UDP).

  1. Restart the Suricata and rsyslog services.

Note

Make sure that all firewalls (including the firewall on the collector machine) allow connections to the collector port