Parsing Suricata JSON logs with NW

Document created by Miha Mesojedec Employee on Aug 13, 2018
Version 1Show Document
  • View in full screen mode

To successfully parse Suricata JSON logs via syslog collector we need to use LUA parser in NetWitness Log Decoder.

Suricata LUA parser in this example is mapping only specific fields from JSON logs to metakeys. In case additional metakeys needs to be mapped then modification of LUA parser is needed and additional "custom" metakeys needs to be added to Concentrator index file. 

 

Process of deploying attached files is following:

  • Load XML parser to your Log Decoder using RSA Live > Deploy
  • Load json.lua and suricata.lua parser to your Log Decoder
    • You can copy json.lua to /etc/netwitness/ng/parsers to your Log Decoder
    • You can using upload option in parser tab in your Log Decoder to upload suricata.lua parser 

            

  • Add custom metakeys to index-concentrator-custom.xml to your Concentrator(s)
  • Create parser mapping for your parser
  • Restart Log Decoder and Concentrator services

 

RAW reconstruction of event log

Meta Reconstruction of event log

 

 

Big thanks to Helmut Wahrmann who helped me developed first JSON lua parser for NW.

Outcomes