Unifiedbeat reads records from Unified2 binary files generated by network intrusion detection software and indexes the records in Elasticsearch.
Go
Latest commit e6af1ef Jul 27, 2016 @cleesmith update README about only supporting 'true unified logging', i.e. 'out…
…put unified2: ...' in snort.conf
Permalink
Failed to load latest commit information.
Godeps
beat
kibana
sample_data
screenshots
vendor
.gitattributes
.gitignore
CHANGELOG.md
LICENSE
README.md
main.go
unifiedbeat.template.json
unifiedbeat.yml

README.md

Unifiedbeat

Unifiedbeat reads records from Unified2 binary files generated by network intrusion detection software and indexes the records in Elasticsearch. Unified2 files are created by IDS/IPS software such as Snort and Suricata.


Note: only output unified2: ... is supported in snort.conf


In addition to using Kibana, a GoLang web app called Pakquery is also available for searching within the data indexed by unifiedbeat. Pakquery's searches use the same simple Lucene syntax as in Kibana. However, pakquery is aware of the connection between event and packet record types based on the event_id field. This means that one can click on an event record and see the complete event/packet details, or one can click on a packet record and see the complete event/packet details.


Usage

  1. build from source
  2. curl -XPUT 'http://localhost:9200/_template/unifiedbeat' -d@etc/unifiedbeat.template.json
  3. edit unifiedbeat.yml
  4. ./unifiedbeat -c unifiedbeat.yml