Suricata IDS (syslog)

Configure Suricata IDS for syslog forwarding to Radiant Security.

In this guide, you will set up the Suricata IDS connector within Radiant in order to forward logs to Radiant.

Prerequisites

Add the data connector in Radiant Security

  1. Log in to Radiant Security.

  2. From the navigation menu, click Settings > Data Connectors and click + Add Connector.

  3. Search for and select the Radiant Agent option and then click Data Feeds.

  4. Under Select your data feeds, select Suricata IDS and click Credentials.

  5. Under Credential Name, give your Radiant Agent integration an identifiable name (e.g. Radiant Agent Integration).

  6. Click Add Connector.

Configure a local Radiant Security Agent

Refer to the Install the Radiant Security Agent guide to set up a local agent to collect the logs.

Configure Suricata IDS to forward logs to the Radiant Security Log Collector

The following is a suggested guide on how to configure Suricata and rsyslog to send logs to the Radiant Agent, feel free to use the syslog forwarding tool of your preference. Refer to the official Suricata Documentation for more details.

In this configuration example we use the syslog facility local0, If you are already using it for another application, please replace it with an unused facility.

  1. Navigate to your Suricata configuration file (usually located at /etc/suricata/suricata.yaml) and add the following lines under the Outputs section:

  1. Navigate the Syslog configuration file (e.g. /etc/rsyslog.conf) and add a line similar to the following:

  1. Replace <VM_IP_ADDRESS> and <VM_PORT> with the actual private IP address and Port of the VM where Radiant Agent was installed.

  2. Restart both Suricata IDS and Syslog services to apply the changes.

PreviousSplunk WebhookNextTrend Micro Apex Central (syslog)

Last updated