Kibana is really good for getting a high level overview of your Suricata events, but I didn’t find it very useful for reviewing individual events, and I’m not really sure if Kibana is really built around that idea, so I created EveBox, a web based event viewer for Suricata events being logged to Elastic Search in “eve” format with a focus on keyboard navigation:
Yes, forgive the “yet another bootstrap app” looks, but I’m not a designer nor do I pretend to be.
If you log thousands, or even hundreds of events per second, then EveBox is probably not for you, the “inbox” will be unmanageable. However, if you run a highly tuned ruleset, EveBox gives you full keyboard navigation review of those events.
Its still a little crude in some areas, for example, if you open an event to get further details you are just going to see the JSON as returned by Elastic Search, personally I like this but I think something a little easier on the eyes is needed. It will also be more useful with eve logs the alert packet, but for now it pivot to Dumpy (a rather basic daemonlogger spool directory frontend) to get a packet capture of the alert triggering data.
I’ve also learned that while Elastic Search is great (well, more like awesome) for searching, its not the best tool for mass updates of records such as “tagging” every entry that matches a query. For such cases it might be useful to introduce a backend at some point so the HTML5 application can hand off some of the grunt work to a backend server that can handle the batch tasks. PostgreSQL 9.4 with its new JSON(b) column could also prove to a very capable data store for Suricata eve events (Cassandra might be another option as well).
If you would like to try, go get the latest release and drop it on a web server. For now its just straight up HTML like Kibana, so its basically a 0 effort install. If that sounds to hard head over to http://codemonkey.net/evebox, click on settings and enter the URL to your Elastic Search server. The “inbox” won’t be there until you configure Logstash accordingly, but you can still review events under “All’. NOTE: My server will not connect to your Elastic Search, the settings only tell the HTML5 application where to connect to Elastic Search).
If you are not yet using Suricata, Snort can easily be used instead. For more info on sending Snort events to Elastic Search in “eve” format see my post Snort, Logstash, Elastic Search and Kibana…