Unifiedbeat reads records from Unified2 binary files generated by network intrusion detection software and indexes the records in Elasticsearch.
Switch branches/tags
Nothing to show
Clone or download
Latest commit e6af1ef Jul 27, 2016

README.md

Unifiedbeat

Unifiedbeat reads records from Unified2 binary files generated by network intrusion detection software and indexes the records in Elasticsearch. Unified2 files are created by IDS/IPS software such as Snort and Suricata.


Note: only output unified2: ... is supported in snort.conf


In addition to using Kibana, a GoLang web app called Pakquery is also available for searching within the data indexed by unifiedbeat. Pakquery's searches use the same simple Lucene syntax as in Kibana. However, pakquery is aware of the connection between event and packet record types based on the event_id field. This means that one can click on an event record and see the complete event/packet details, or one can click on a packet record and see the complete event/packet details.


Usage

  1. build from source
  2. curl -XPUT 'http://localhost:9200/_template/unifiedbeat' -d@etc/unifiedbeat.template.json
  3. edit unifiedbeat.yml
  4. ./unifiedbeat -c unifiedbeat.yml