Knowledge BaseRelease NotesRequest Demo

Suricata Logs

Connecting Suricata logs to your Panther Console

Overview

Panther supports ingesting Suricata logs via common Data Transport options: Amazon Web Services (AWS) S3, SQS, and CloudWatch.

How to onboard Suricata logs to Panther

To connect these logs into Panther:

  1. In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.

  2. Click Create New.

  3. Search for the log type you want to onboard, then click its tile.

  4. Select the data transport method you wish to use for this integration, then follow Panther's instructions for configuring the method:

  5. Configure Suricata to push logs to the Data Transport source.

    • See Suricata's documentation for instructions on pushing logs to your selected Data Transport source.

Supported log types

Required fields in all tables are in bold.

Suricata.Alert

Suricata parser for the Alert event type in the EVE JSON output.

For more information, see the Suricata documentation on

Reference: Suricata.Alert

Suricata.Anomaly

Suricata parser for the Anomaly event type in the EVE JSON output.

Reference: Suricata Documentation on EVE JSON Output Anomalies.

Column

Type

Description

anomaly

{ "code":bigint, "event":string, "layer":string, "type":string }

Suricata Anomaly Anomaly

app_proto

string

Suricata Anomaly AppProto

community_id

string

Suricata Anomaly CommunityID

dest_ip

string

Suricata Anomaly DestIP

dest_port

int

Suricata Anomaly DestPort

event_type

string

Suricata Anomaly EventType

flow_id

bigint

Suricata Anomaly FlowID

icmp_code

bigint

Suricata Anomaly IcmpCode

icmp_type

bigint

Suricata Anomaly IcmpType

metadata

{ "flowbits":[string], "flowints":{ "applayer_anomaly_count":bigint, "http_anomaly_count":bigint, "tcp_retransmission_count":bigint, "tls_anomaly_count":bigint } }

Suricata Anomaly Metadata

packet

string

Suricata Anomaly Packet

packet_info

{ "linktype":bigint }

Suricata Anomaly PacketInfo

pcap_cnt

bigint

Suricata Anomaly PcapCnt

pcap_filename

string

Suricata Anomaly PcapFilename

proto

bigint

Suricata Anomaly Proto

src_ip

string

Suricata Anomaly SrcIP

src_port

int

Suricata Anomaly SrcPort

timestamp

timestamp

Suricata Anomaly Timestamp

tx_id

bigint

Suricata Anomaly TxID

vlan

[bigint]

Suricata Anomaly Vlan

p_log_type

string

Panther added field with type of log

p_row_id

string

Panther added field with unique id (within table)

p_event_time

timestamp

Panther added standardize event time (UTC)

p_parse_time

timestamp

Panther added standardize log parse time (UTC)

p_source_id

string

Panther added field with the source id

p_source_label

string

Panther added field with the source label

p_any_ip_addresses

[string]

Panther added field with collection of ip addresses associated with the row

p_any_domain_names

[string]

Panther added field with collection of domain names associated with the row

p_any_sha1_hashes

[string]

Panther added field with collection of SHA1 hashes associated with the row

p_any_md5_hashes

[string]

Panther added field with collection of MD5 hashes associated with the row

p_any_sha256_hashes

[string]

Panther added field with collection of SHA256 hashes of any algorithm associated with the row

Suricata.DHCP

Suricata parser for the DHCP event type in the EVE JSON output.

Reference: Suricata.DHCP

Suricata.DNS

Suricata parser for the DNS event type in the EVE JSON output.

Reference: Suricata Documentation on EVE JSON Output DNS.

Column

Type

Description

community_id

string

Suricata DNS CommunityID

dns

{ "aa":boolean, "answers":[{ "rdata":string, "rrname":string, "rrtype":string, "ttl":bigint }], "authorities":[{ "rrname":string, "rrtype":string, "ttl":bigint }], "flags":string, "grouped":{ "A":[string], "AAAA":[string], "CNAME":[string], "MX":[string], "PTR":[string], "TXT":[string] }, "id":bigint, "qr":boolean, "ra":boolean, "rcode":string, "rd":boolean, "rrname":string, "rdata":string, "rrtype":string, "ttl":bigint, "tx_id":bigint, "type":string, "version":bigint }

Suricata DNS DNS

dest_ip

string

Suricata DNS DestIP

dest_port

int

Suricata DNS DestPort

event_type

string

Suricata DNS EventType

flow_id

bigint

Suricata DNS FlowID

pcap_cnt

bigint

Suricata DNS PcapCnt

pcap_filename

string

Suricata DNS PcapFilename

proto

bigint

Suricata DNS Proto

src_ip

string

Suricata DNS SrcIP

src_port

int

Suricata DNS SrcPort

timestamp

timestamp

Suricata DNS Timestamp

vlan

[bigint]

Suricata DNS Vlan

p_log_type

string

Panther added field with type of log

p_row_id

string

Panther added field with unique id (within table)

p_event_time

timestamp

Panther added standardize event time (UTC)

p_parse_time

timestamp

Panther added standardize log parse time (UTC)

p_source_id

string

Panther added field with the source id

p_source_label

string

Panther added field with the source label

p_any_ip_addresses

[string]

Panther added field with collection of ip addresses associated with the row

p_any_domain_names

[string]

Panther added field with collection of domain names associated with the row

p_any_sha1_hashes

[string]

Panther added field with collection of SHA1 hashes associated with the row

p_any_md5_hashes

[string]

Panther added field with collection of MD5 hashes associated with the row

p_any_sha256_hashes

[string]

Panther added field with collection of SHA256 hashes of any algorithm associated with the row

Suricata.FileInfo

Suricata parser for the FileInfo event type in the EVE JSON output.

Reference: File and store EVE file info.

Suricata.Flow

Suricata parser for the Flow event type in the EVE JSON output.

Reference: Flow event type.

Suricata.HTTP

Suricata parser for the HTTP event type in the EVE JSON output.

Reference: HTTP event type.

Suricata.SSH

Suricata parser for the SSH event type in the EVE JSON output.

Reference: SSH event type.

Suricata.TLS

Suricata parser for the TLS event type in the EVE JSON output.

Reference: TLS event type.

PreviousSophos LogsNextSysdig Logs

Last updated

Was this helpful?