Suricata Logs

Knowledge Base Panther.com Release Notes Demo Request
Search…
Suricata Logs
Connecting Suricata logs to your Panther Console
Overview
Panther supports ingesting Suricata logs via common Data Transport options: Amazon Web Services (AWS) S3, SQS, and CloudWatch.
How to onboard Suricata logs to Panther
To connect these logs into Panther:
1.Set up your Data Transport in the Panther Console.
Please follow Panther’s documentation for configuring the Data Transport option you will use:
​AWS S3 bucket​
​AWS SQS​
​AWS CloudWatch​
2.Configure Suricata to push logs to the Data Transport source.
See Suricata's documentation for instructions on pushing logs to your selected Data Transport source.
Supported log types
Required fields in all tables are in bold.
Suricata.Anomaly
Suricata parser for the Anomaly event type in the EVE JSON output.
Reference: Suricata Documentation on EVE JSON Output Anomalies.​
Column
Type
Description
anomaly
{   "code":bigint,   "event":string,   "layer":string,   "type":string }
Suricata Anomaly Anomaly
app_proto
string
Suricata Anomaly AppProto
community_id
string
Suricata Anomaly CommunityID
dest_ip
string
Suricata Anomaly DestIP
dest_port
int
Suricata Anomaly DestPort
event_type
string
Suricata Anomaly EventType
flow_id
bigint
Suricata Anomaly FlowID
icmp_code
bigint
Suricata Anomaly IcmpCode
icmp_type
bigint
Suricata Anomaly IcmpType
metadata
{   "flowbits":[string],   "flowints":{     "applayer_anomaly_count":bigint,     "http_anomaly_count":bigint,     "tcp_retransmission_count":bigint,     "tls_anomaly_count":bigint } }
Suricata Anomaly Metadata
packet
string
Suricata Anomaly Packet
packet_info
{   "linktype":bigint }
Suricata Anomaly PacketInfo
pcap_cnt
bigint
Suricata Anomaly PcapCnt
pcap_filename
string
Suricata Anomaly PcapFilename
proto
bigint
Suricata Anomaly Proto
src_ip
string
Suricata Anomaly SrcIP
src_port
int
Suricata Anomaly SrcPort
timestamp
timestamp
Suricata Anomaly Timestamp
tx_id
bigint
Suricata Anomaly TxID
Suricata.DNS
Suricata parser for the DNS event type in the EVE JSON output.
Reference: Suricata Documentation on EVE JSON Output DNS.​
Column
Type
Description
community_id
string
Suricata DNS CommunityID
dns
{   "aa":boolean,   "answers":[{     "rdata":string,     "rrname":string,     "rrtype":string,     "ttl":bigint }],   "authorities":[{     "rrname":string,     "rrtype":string,     "ttl":bigint }],   "flags":string,   "grouped":{     "A":[string],     "AAAA":[string],     "CNAME":[string],     "MX":[string],     "PTR":[string],     "TXT":[string] },   "id":bigint,   "qr":boolean,   "ra":boolean,   "rcode":string,   "rd":boolean,   "rrname":string,   "rdata":string,   "rrtype":string,   "ttl":bigint,   "tx_id":bigint,   "type":string,   "version":bigint }
Suricata DNS DNS
dest_ip
string
Suricata DNS DestIP
dest_port
int
Suricata DNS DestPort
event_type
string
Suricata DNS EventType
flow_id
bigint
Suricata DNS FlowID
pcap_cnt
bigint
Suricata DNS PcapCnt
pcap_filename
string
Suricata DNS PcapFilename
proto
bigint
Suricata DNS Proto
src_ip
string
Suricata DNS SrcIP
src_port
int
Suricata DNS SrcPort
timestamp
timestamp
Suricata DNS Timestamp
vlan
[bigint]
Suricata DNS Vlan
p_log_type
string
Panther added field with type of log
p_row_id
string
Panther added field with unique id (within table)
p_event_time
timestamp
Panther added standardize event time (UTC)
p_parse_time
timestamp
Panther added standardize log parse time (UTC)
p_source_id
string
Panther added field with the source id
p_source_label
string
Panther added field with the source label
Snyk Logs
Syslog Logs
Last modified 22d ago
Copy link
Outline
Overview
How to onboard Suricata logs to Panther
Supported log types
Suricata.Anomaly
Suricata.DNS