Suricata Listener is a tool designed to continuously monitor and process logs generated by Suricata, an IDS/IPS system, providing real-time analysis and potential threat mitigation.
Real-time Log Processing: Actively listens for new logs and processes them immediately. It uses fsnotify to keep a watch on the new entries to eve.json log file generated by suricata.
Integration with Kubernetes: Can be deployed as a DaemonSet to monitor Suricata logs across nodes.
Policy Enforcement with OPA: Leverages Open Policy Agent (OPA) to evaluate Suricata alerts against defined policies.
A running Suricata setup. Use this repo to deploy it in GKE using OIDC authentication ( https://github.com/harkirat22/falcon-suricata-gke-deployment)
Kubernetes cluster for DaemonSet deployment.
Docker, if running in containers.
To build and run the Suricata Listener using Docker: docker build -t suricata-listener . docker run -v /path/to/suricata/logs:/var/log/suricata suricata-listener
Refer to the provided Terraform configuration to deploy Suricata Listener as a DaemonSet in a Kubernetes cluster. Link: https://github.com/harkirat22/falcon-suricata-gke-deployment
Once deployed, the Suricata Listener will continuously monitor the designated log directory (/var/log/suricata by default) for new log entries in eve.json which has a structure of a newline-delimited JSON (NDJSON) format.
When an alert is detected, it will evaluate the entry against the defined policies in OPA.