Contents
Prerequisites
1.Suricata
Suricata IDS/IPS is an open-source intrusion detection system (IDS) that monitors network traffic and detects suspicious activity. Since it operates on a signature-based mechanism, it can detect predefined malicious traffic. Another key feature of Suricata is its ability to not only detect but also prevent such threats.
2.Elastic Stack,Kibana,Filebeat
Install and configure the Elastic Stack to enable visualization and search of SURICATA logs using Kibana and Filebeat
In this session, we will install Suricata IDS and ElasticStack on the following server
・First server Suricata IDS & Filebeat : ArchLinux IP address(192.168.11.83)
・Second server ElasticStack & kibana : Debian13.x IP address(192.168.11.85)
This time, we will run it as the root user
Server 1: Suricata Installation
1.Installing and Configuring Suricata
①Install
|
1 2 3 4 5 6 |
# su - huong $ yay -S suricata-nfqueue Version Check # suricata -V This is Suricata version 8.0.2 RELEASE |
➁Checking and Loading Required Kernel Modules
To use NFQUEUE, the kernel must support nfnetlink_queue.
Module Verification:
|
1 |
# lsmod | grep nfnetlink_queue |
If nothing appears above, load the module
|
1 |
# modprobe nfnetlink_queue |
Confirm again
|
1 2 3 |
# lsmod | grep nfnetlink_queue nfnetlink_queue 32768 1 nfnetlink 20480 4 nfnetlink_queue |
Keep this setting active even after a restart
|
1 |
# echo "nfnetlink_queue" | tee /etc/modules-load.d/nfqueue.conf |
➂Determine the interfaces and IP addresses that Suricata uses to inspect network packets
|
1 2 3 |
# ip --brief add lo UNKNOWN 127.0.0.1/8 ::1/128 ens33 UP 192.168.11.83/24 fe80::20c:29ff:fe17:39f1/64 |
④Edit the configuration file
|
1 2 3 4 5 6 7 8 9 10 11 12 |
# vi /etc/suricata/suricata.yaml # Line 18 : Comment it out and add the following below it (in the `vars` section, where you define the network) #HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" HOME_NET: "[192.168.11.0/24]" # Per Line158 : Change community-id: false → community-id: true # Per Line 661 : Set the interface name in the af-packet section af-packet: - interface: ens33 |
Set directory ownership and execution permissions
|
1 2 |
# chown -R root:root /tmp # chmod 775 /tmp |
⑤Starting Suricata
|
1 2 3 |
# systemctl start suricata # systemctl enable --now suricata Created symlink /etc/systemd/system/multiuser.target.wants/suricata.service → /usr/lib/systemd/system/suricata.service. |
⑥Verifying that Suricata is running
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
# systemctl status suricata ● suricata.service - Suricata IDS/IPS daemon Loaded: loaded (/usr/lib/systemd/system/suricata.service; enabled; preset: disabled) Active: active (running) since Sat 2026-03-07 09:51:32 JST; 15s ago Invocation: 5dd2b3c4d6844e2083a178dc38022b22 Main PID: 32508 (Suricata-Main) Tasks: 10 (limit: 4604) Memory: 46.8M (peak: 47M) CPU: 179ms CGroup: /system.slice/suricata.service └─32508 /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /run/suricata/suricata.pid -q 0 Mar 07 09:51:32 Lepard systemd[1]: Started Suricata IDS/IPS daemon. Mar 07 09:51:32 Lepard suricata[32508]: Info: conf-yaml-loader: Including configuration file local.yaml. Mar 07 09:51:32 Lepard suricata[32508]: i: suricata: This is Suricata version 8.0.2 RELEASE running in SYSTEM mode Mar 07 09:51:32 Lepard suricata[32508]: W: detect: No rule files match the pattern /var/lib/suricata/rules/suricata.rules Mar 07 09:51:32 Lepard suricata[32508]: W: detect: 2 rule files specified, but no rules were loaded! Mar 07 09:51:32 Lepard suricata[32508]: i: mpm-hs: Rule group caching - loaded: 0 newly cached: 0 total cacheable: 0 Mar 07 09:51:32 Lepard suricata[32508]: i: threads: Threads created -> RX: 1 W: 2 TX: 1 FM: 1 FR: 1 Engine started. |
Check the log
|
1 |
# tail /var/log/suricata/suricata.log |
To view the statistics, check the stats.log file (updated every 8 seconds by default)
|
1 |
# tail -f /var/log/suricata/stats.log |
EVE JSON, which provides more advanced output, can be generated using the following command
|
1 |
# tail -f /var/log/suricata/eve.json |
2.Testing Suricata
①Temporarily disable nfqueue mode
|
1 2 3 4 5 |
# vi /usr/lib/systemd/system/suricata.service Line 12 : Post it as a comment, and add it below #ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /run/suricata/suricata.pid -q 0 ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /run/suricata/suricata.pid -i ens33 --user suricata |
➁Run a ping test using the curl utility
|
1 2 |
# curl http://testmynids.org/uid/index.html uid=0(root) gid=0(root) groups=0(root) |
➂Check the log file using the specified rule number
Suricata comes with the following two log files, which are enabled by default.
/var/log/suricata/fast.log
/var/log/suricata/eve.log
To check the log entries corresponding to curl requests, use the grep command to examine the /var/log/suricata/fast.log file.2100498
Search for log entries using rule identifiers. (For IPv4)
|
1 2 3 |
# grep 2100498 /var/log/suricata/fast.log 03/07/2026-10:18:54.244566 [**] [1:2100498:7] GPL ATTACK_RESPONSE id check returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 13.249.165.123:80 -> 192.168.11.83:53322 |
④Check the events in /var/log/suricata/eve.log
Install jq
|
1 |
# pacman -S jq |
Search for signature 2100498 to filter events in the EVE log
Display the alert object with the signature_id key that matches the value 2100498
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 |
# jq 'select(.alert .signature_id==2100498)' /var/log/suricata/eve.json { "timestamp": "2026-03-07T10:18:54.244566+0900", "flow_id": 1792631861341614, "in_iface": "ens33", "event_type": "alert", "src_ip": "13.249.165.123", "src_port": 80, "dest_ip": "192.168.11.83", "dest_port": 53322, "proto": "TCP", "ip_v": 4, "pkt_src": "wire/pcap", "community_id": "1:szOE3aOZBYbhTrHzHaSvbQf2ZA4=", "alert": { "action": "allowed", "gid": 1, "signature_id": 2100498, "rev": 7, "signature": "GPL ATTACK_RESPONSE id check returned root", "category": "Potentially Bad Traffic", "severity": 2, "metadata": { "confidence": [ "Medium" ], "created_at": [ "2010_09_23" ], "signature_severity": [ "Informational" ], "updated_at": [ "2019_07_26" ] } }, "app_proto": "http", "direction": "to_client", "flow": { "pkts_toserver": 5, "pkts_toclient": 4, "bytes_toserver": 430, "bytes_toclient": 810, "start": "2026-03-07T10:18:54.220771+0900", "src_ip": "192.168.11.83", "dest_ip": "13.249.165.123", "src_port": 53322, "dest_port": 80 } } |
3.Configuring Suricata Rules
①Displaying the rule sets included in Suricata
|
1 2 3 4 5 6 7 |
# ls -al /var/lib/suricata/rules/ total 41668 drwxr-x--- 2 suricata suricata 4096 Mar 2 15:15 . drwxr-x--- 5 suricata suricata 4096 Mar 2 15:11 .. -rw-r--r-- 1 root root 3228 Mar 2 15:15 classification.config -rw-r----- 1 suricata suricata 0 Mar 2 15:05 local.rules -rw-r--r-- 1 root root 42654947 Mar 2 15:15 suricata.rules |
②List of indexes for sources that provide rule sets
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 |
# suricata-update list-sources Name: abuse.ch/feodotracker Vendor: Abuse.ch Summary: Abuse.ch Feodo Tracker Botnet C2 IP ruleset License: CC0-1.0 Name: abuse.ch/sslbl-blacklist Vendor: Abuse.ch Summary: Abuse.ch SSL Blacklist License: CC0-1.0 Replaces: sslbl/ssl-fp-blacklist Name: abuse.ch/sslbl-c2 Vendor: Abuse.ch Summary: Abuse.ch Suricata Botnet C2 IP Ruleset License: CC0-1.0 Name: abuse.ch/sslbl-ja3 Vendor: Abuse.ch Summary: Abuse.ch Suricata JA3 Fingerprint Ruleset License: CC0-1.0 Replaces: sslbl/ja3-fingerprints Name: abuse.ch/urlhaus Vendor: abuse.ch Summary: Abuse.ch URLhaus Suricata Rules License: CC0-1.0 Name: aleksibovellan/nmap Vendor: aleksibovellan Summary: Suricata IDS/IPS Detection Rules Against NMAP Scans License: MIT Name: et/open Vendor: Proofpoint Summary: Emerging Threats Open Ruleset License: MIT Name: et/pro Vendor: Proofpoint Summary: Emerging Threats Pro Ruleset License: Commercial Replaces: et/open Parameters: secret-code Subscription: https://www.proofpoint.com/us/threat-insight/et-pro-ruleset Name: etnetera/aggressive Vendor: Etnetera a.s. Summary: Etnetera aggressive IP blacklist License: MIT Name: oisf/trafficid Vendor: OISF Summary: Suricata Traffic ID ruleset License: MIT Name: pawpatrules Vendor: pawpatrules Summary: PAW Patrules is a collection of rules for IDPS / NSM Suricata engine License: CC-BY-SA-4.0 Name: ptrules/open Vendor: Positive Technologies Summary: Positive Technologies Open Ruleset License: Custom Name: scwx/enhanced Vendor: Secureworks Summary: Secureworks suricata-enhanced ruleset License: Commercial Parameters: secret-code Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures) Name: scwx/malware Vendor: Secureworks Summary: Secureworks suricata-malware ruleset License: Commercial Parameters: secret-code Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures) Name: scwx/security Vendor: Secureworks Summary: Secureworks suricata-security ruleset License: Commercial Parameters: secret-code Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures) Name: stamus/lateral Vendor: Stamus Networks Summary: Lateral movement rules License: GPL-3.0-only Name: stamus/nrd-14-open Vendor: Stamus Networks Summary: Newly Registered Domains Open only - 14 day list, complete License: Commercial Parameters: secret-code Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed Name: stamus/nrd-30-open Vendor: Stamus Networks Summary: Newly Registered Domains Open only - 30 day list, complete License: Commercial Parameters: secret-code Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed Name: stamus/nrd-entropy-14-open Vendor: Stamus Networks Summary: Newly Registered Domains Open only - 14 day list, high entropy License: Commercial Parameters: secret-code Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed Name: stamus/nrd-entropy-30-open Vendor: Stamus Networks Summary: Newly Registered Domains Open only - 30 day list, high entropy License: Commercial Parameters: secret-code Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed Name: stamus/nrd-phishing-14-open Vendor: Stamus Networks Summary: Newly Registered Domains Open only - 14 day list, phishing License: Commercial Parameters: secret-code Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed Name: stamus/nrd-phishing-30-open Vendor: Stamus Networks Summary: Newly Registered Domains Open only - 30 day list, phishing License: Commercial Parameters: secret-code Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed Name: tgreen/hunting Vendor: tgreen Summary: Threat hunting rules License: GPLv3 |
③Enable the source (if enabling tgreen/hunting)
|
1 2 3 4 5 6 7 8 9 10 |
# suricata-update enable-source tgreen/hunting 2/3/2026 -- 15:27:59 - <Info> -- Using data-directory /var/lib/suricata. 2/3/2026 -- 15:27:59 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml 2/3/2026 -- 15:27:59 - <Info> -- Using /usr/share/suricata/rules for Suricata provided rules. 2/3/2026 -- 15:27:59 - <Info> -- Found Suricata version 8.0.3 at /usr/bin/suricata. 2/3/2026 -- 15:27:59 - <Warning> -- Source index does not exist, will use bundled one. 2/3/2026 -- 15:27:59 - <Warning> -- Please run suricata-update update-sources. 2/3/2026 -- 15:27:59 - <Info> -- Creating directory /var/lib/suricata/update/sources 2/3/2026 -- 15:27:59 - <Info> -- Enabling default source et/open 2/3/2026 -- 15:27:59 - <Info> -- Source tgreen/hunting enabled |
Run the update
|
1 |
# suricata-update update-sources |
Suricata service restart
|
1 |
# systemctl restart suricata |
4. Configuring Suricata as an IPS
①Return to nfqueue mode
|
1 2 3 4 5 6 |
# vi /usr/lib/systemd/system/suricata.service Line 12 : Uncomment ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /run/suricata/suricata.pid -q 0 Line 13 : Comments #ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /run/suricata/suricata.pid -i ens33 --user suricata |
|
1 2 |
# systemctl daemon-reload # systemctl restart suricata |
Create the following custom signature to scan for SSH traffic on non-SSH ports, and include it in the file /var/lib/suricata/rules/local.rules (assuming the SSH port is 22)
|
1 2 |
# vi /var/lib/suricata/rules/local.rules alert ssh any any -> 192.168.11.83 !22 (msg:"SSH TRAFFIC on non-SSH port"; flow:to_client, not_established; classtype: misc-attack; target: dest_ip; sid:1000000;) |
Edit the SURICATA configuration file
|
1 2 3 4 5 6 |
# vi /etc/suricata/suricata.yaml Line 2304 : Add rule-files: - suricata.rules - local.rules |
Verify SURICATA settings
|
1 2 3 4 5 |
# suricata -T -c /etc/suricata/suricata.yaml -v Info: detect: 48799 signatures processed. 1242 are IP-only rules, 4477 are inspecting packet payload, 42845 inspect application layer, 110 are decoder event only Notice: mpm-hs: Rule group caching - loaded: 33 newly cached: 80 total cacheable: 113 Notice: suricata: Configuration provided was successfully loaded. Exiting. |
Suricata restart
|
1 |
# systemctl restart suricata.service |
Redirect incoming network traffic to Suricata's NFQUEUE
Since Firewalld is installed and enabled, add the rules required by Suricata to Firewalld (assuming the SSH port is 22)
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
# vi /etc/ufw/before.rules Per Line 18 : Add # Don't delete these required lines, otherwise there will be errors *filter :ufw-before-input - [0:0] :ufw-before-output - [0:0] :ufw-before-forward - [0:0] :ufw-not-local - [0:0] # End required lines ## Start Suricata NFQUEUE rules -I INPUT 1 -p tcp --dport 22 -j NFQUEUE --queue-bypass -I OUTPUT 1 -p tcp --sport 22 -j NFQUEUE --queue-bypass -I FORWARD -j NFQUEUE -I INPUT 2 -j NFQUEUE -I OUTPUT 2 -j NFQUEUE ## End Suricata NFQUEUE rules |
Similarly, edit /etc/ufw/before6.rules
|
1 |
# ufw reload |
Verify that SURICATA is dropping traffic correctly
Change the default action for signatures from "alert" or "log" to "active dropping traffic"
Open the /var/lib/suricata/rules/suricata.rules file and comment out any entries matching "sid:2100498"
|
1 2 |
# vi /var/lib/suricata/rules/suricata.rules #alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7; metadata:created_at 2010_09_23, confidence Medium, signature_severity Informational, updated_at 2019_07_26;) |
Create a new rule with the ID 2100498 in /var/lib/suricata/rules/local.rules
|
1 2 3 |
# vi /var/lib/suricata/rules/local.rules drop ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7; metadata:created_at 2010_09_23, confidence Medium, signature_severity Informational, updated_at 2019_07_26;) |
Reload the signature
|
1 |
# kill -usr2 $(pidof suricata) |
Test this rule using curl
|
1 2 |
# curl --max-time 5 http://testmynids.org/uid/index.html curl: (28) Operation timed out after 5001 milliseconds with 0 out of 39 bytes received |
Examining the eve.log file using jq
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 |
# jq 'select(.alert .signature_id==2100498)' /var/log/suricata/eve.json { "timestamp": "2026-03-07T12:11:02.128713+0900", "flow_id": 1901429235026622, "event_type": "alert", "src_ip": "13.249.165.82", "src_port": 80, "dest_ip": "192.168.11.83", "dest_port": 39328, "proto": "TCP", "ip_v": 4, "pkt_src": "wire/pcap", "community_id": "1:BGDLOlDjHL4OBlp4Mdf8l73Gqwo=", "alert": { "action": "blocked", "gid": 1, "signature_id": 2100498, "rev": 7, "signature": "GPL ATTACK_RESPONSE id check returned root", "category": "Potentially Bad Traffic", "severity": 2, "metadata": { "confidence": [ "Medium" ], "created_at": [ "2010_09_23" ], "signature_severity": [ "Informational" ], "updated_at": [ "2019_07_26" ] } }, "app_proto": "http", "direction": "to_client", "flow": { "pkts_toserver": 3, "pkts_toclient": 4, "bytes_toserver": 256, "bytes_toclient": 754, "start": "2026-03-07T12:11:02.115030+0900", "src_ip": "192.168.11.83", "dest_ip": "13.249.165.82", "src_port": 39328, "dest_port": 80 } } |
"action" is set to "blocked"
Integration of the ELK Stack and Suricata
Install and configure the Elastic Stack to visualize and search SURICATA logs more efficiently
This section will primarily be performed on the second Debian 13.x server (IP 192.168.11.85).
For specific instructions, please refer to the page below.
Starting Elasticsearch
Start and enable the service
systemctl daemon-reload
systemctl enable --now elasticsearch
systemctl start elasticsearchVerify Operation
Use the curl command to verify that Elasticsearch is running.
You will be prompted for the Elasticsearch password.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
# curl --cacert /etc/elasticsearch/certs/http_ca.crt -u elastic https://192.168.11.85:9200 Enter host password for user 'elastic': { "name" : "Lion", "cluster_name" : "elasticsearch", "cluster_uuid" : "AJeXST6-TtKDXtYRG0MSaA", "version" : { "number" : "9.3.1", "build_flavor" : "default", "build_type" : "deb", "build_hash" : "0dd66e52ba3aa076cf498264e46339dbb71f0269", "build_date" : "2026-02-23T23:37:38.684779921Z", "build_snapshot" : false, "lucene_version" : "10.3.2", "minimum_wire_compatibility_version" : "8.19.0", "minimum_index_compatibility_version" : "8.0.0" }, "tagline" : "You Know, for Search" } |
Kibana Install
Install and configure Kibana to visualize SURICATA logs
This section will primarily be performed on the second Debian 13.x server (IP 192.168.11.85).
For specific instructions on how to access the Kibana 9 dashboard after installing Kibana, please refer to the page below.
Install Filebeat on the SURICATA server
1.Install
|
1 |
$ yay -S filebeat-bin |
2. Creating an Elasticsearch CA Certificate
Download the Elasticsearch CA certificate and save it to a directory of your choice (in this example, we’ll save it as /etc/filebeat/elastic-ca.crt).
*Make sure to open port 9200 on the second server (the server running Debian 13.x with Elasticsearch installed).
|
1 2 3 |
# openssl s_client -connect 192.168.11.85:9200 \ -showcerts </dev/null 2>/dev/null | \ openssl x509 -outform PEM > /etc/filebeat/elastic-ca.crt |
3. Configure Filebeat to connect to Elasticsearch and Kibana
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
# vi /etc/filebeat/filebeat.yml Line 137 : Add a line below the commented-out #host: "localhost:5601" line that specifies the private IP address and port of your Kibana instance host: "192.168.11.85:5601" Line 164 : comment #hosts: ["localhost:9200"] Line 165 : Enter the IP address of the Elastic Stack and the port number for Elasticsearch hosts: ["https://192.168.11.85:9200"] Line 171 : Uncomments protocol: "https" Line 172 : Specifying an Elasticsearch CA Certificate ssl.certificate_authorities: ["/etc/filebeat/elastic-ca.crt"] Line 175,176 : Uncheck the comment box, leave [username] as the default, and enter the password for the [elastic] user in the [password] field. username: "elastic" password: “xxxxxxxxx" |
4. Configuration File Test
|
1 2 |
# filebeat test config Config OK |
5. Enable Filebeats' built-in Suricata module
|
1 |
# filebeat modules enable suricata |
The command above will rename /etc/filebeat/modules.d/suricata.yml.disabled to /etc/filebeat/modules.d/suricata.yml, but since the contents remain unchanged, edit it as follows:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
# vi /etc/filebeat/modules.d/suricata.yml # Module: suricata # Docs: https://www.elastic.co/guide/en/beats/filebeat/main/filebeat-module-suricata.html - module: suricata # All logs eve: enabled: true var.paths: ["/var/log/suricata/eve.json"] # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: |
6. Set up the initial environment
Pipeline for the Suricata service
Load the SIEM dashboard into Elasticsearch
|
1 2 3 4 5 6 7 8 9 10 11 |
# filebeat setup -e -------------------------------------------------------------------------------- {"log.level":"info","@timestamp":"2026-03-19T15:52:19.174+0900","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.LoadPipeline","file.name":"fileset/pipelines.go","file.line":134},"message":"Elasticsearch pipeline loaded.","service.name":"filebeat","pipeline":"filebeat-9.2.3-suricata-eve-pipeline","ecs.version":"1.6.0"} {"log.level":"info","@timestamp":"2026-03-19T15:52:19.299+0900","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.LoadPipeline","file.name":"fileset/pipelines.go","file.line":134},"message":"Elasticsearch pipeline loaded.","service.name":"filebeat","pipeline":"filebeat-9.2.3-suricata-eve-dns","ecs.version":"1.6.0"} {"log.level":"info","@timestamp":"2026-03-19T15:52:19.475+0900","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.LoadPipeline","file.name":"fileset/pipelines.go","file.line":134},"message":"Elasticsearch pipeline loaded.","service.name":"filebeat","pipeline":"filebeat-9.2.3-suricata-eve-dns-answer-v1","ecs.version":"1.6.0"} {"log.level":"info","@timestamp":"2026-03-19T15:52:19.695+0900","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.LoadPipeline","file.name":"fileset/pipelines.go","file.line":134},"message":"Elasticsearch pipeline loaded.","service.name":"filebeat","pipeline":"filebeat-9.2.3-suricata-eve-dns-answer-v2","ecs.version":"1.6.0"} {"log.level":"info","@timestamp":"2026-03-19T15:52:19.869+0900","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.LoadPipeline","file.name":"fileset/pipelines.go","file.line":134},"message":"Elasticsearch pipeline loaded.","service.name":"filebeat","pipeline":"filebeat-9.2.3-suricata-eve-tls","ecs.version":"1.6.0"} {"log.level":"info","@timestamp":"2026-03-19T15:52:20.060+0900","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.LoadPipeline","file.name":"fileset/pipelines.go","file.line":134},"message":"Elasticsearch pipeline loaded.","service.name":"filebeat","pipeline":"filebeat-9.2.3-suricata-eve-http","ecs.version":"1.6.0"} ------------------------------------------------------------------------------------- |
7. Start the Filebeat service
|
1 |
# systemctl start filebeat.service |
For further information, please refer to the page below
