Log Parser for Suri Oculus
The Suri Oculus system interacts with Suricata, processing its logs in two possible operating modes:
Standard Mode: Suricata logs are written to a standard JSON format file.
Configuration for
eve-login Suricata:eve-log:
enabled: yes
filetype: regular # Variants: regular|syslog|unix_dgram|unix_stream|redis
filename: eve.json
Redis Mode (primary for Suri Oculus): Suricata sends logs directly to the Redis database.
Configuration for
eve-login Suricata:
eve-log: enabled: yes filetype: redis # Variants: regular|syslog|unix_dgram|unix_stream|redis filename: eve.json
Depending on the selected mode, two different services are used for log processing:
daemonmove for working with Redis.
daemonparser for working with the regular log file format.
Both services are started with the standard Linux command: systemctl start service_name. The result of the service operation is the distribution of records from eve.json into the corresponding keys in the database or file system.
Configuration of daemonmove and daemonparser The configuration file conf.cfg for the daemonmove service is located in the /etc/redismove directory. It has the following format:
# Configuration file for the application
application:
{
main:
{
title = "REDISMOVE";
version = "0.4.2";
date = "23 Mar 2024";
};
settings:
{
main_key = "suricata";
keys = ("alert", "anomaly", "dcerpc", "flow", "http", "dns", "drop", "stats_report", "fileinfo", "tls", "stats", "ftp", "sip", "smb", "snmp", "ssh", "flow_data", "tftp", "ssh", "bittorrent_dht", "rdp", "http2", "pqsql", "quic", "modbus");
valid_duration = 24;
log_file = "/var/log/suricata/eve.json";
temp_file = "/tmp/daemonparser/current";
};
};This file defines the main operating parameters of the service, including keys for event distribution and paths to log and temporary files.
Ensure that the configuration meets your requirements and is correctly set up for working with your Suri Oculus system.
Suricata events and output
Suri Oculus download page
