Create 12-suricata.conf

conf.d/12-suricata.conf

+# 12-suricata.conf
+filter {
+  if "pf" in [tags] and [application] =~ /^suricata$/ {
+    mutate {
+      add_tag => [ "Suricata" ]
+    }
+    if [message] =~ /^{.*}$/ {
+      json {
+        source => "message"
+        target => "[suricata][eve]"
+      }
+    } else {
+      grok {
+        patterns_dir => ["/etc/logstash/conf.d/patterns"]
+        match => [ "message", "%{SURICATA}"]
+      }
+    }
+    if [suricata][eve][src_ip] and ![source][ip] {
+  		mutate {
+  		  add_field => { "[source][ip]" => "%{[suricata][eve][src_ip]}"}
+  		}
+	  }
+	  if [suricata][eve][dest_ip] and ![destination][ip] {
+  		mutate {
+  		  add_field => { "[destination][ip]" => "%{[suricata][eve][dest_ip]}"}
+  		}
+	  }
+	  if [suricata][eve][src_port] and ![source][port] {
+  		mutate {
+  		  add_field => { "[source][port]" => "%{[suricata][eve][src_port]}"}
+  		}
+	  }
+	  if [suricata][eve][dest_port] and ![destination][port] {
+  		mutate {
+  		  add_field => { "[destination][port]" => "%{[suricata][eve][dest_port]}"}
+  		}
+	  }
+    if [source][ip] {
+  		# Check if source.ip address is private.
+  		cidr {
+  		  address => [ "%{[source][ip]}" ]
+  		  network => [ "0.0.0.0/32", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "fc00::/7", "127.0.0.0/8", "::1/128", "169.254.0.0/16", "fe80::/10", "224.0.0.0/4", "ff00::/8", "255.255.255.255/32", "::" ]
+  		  add_field => { "[src_locality]" => "private" }
+  		}
+  		if ![src_locality] {
+        geoip {
+          add_tag => [ "GeoIP" ]
+          source => "[source][ip]"
+          database => "/etc/logstash/GeoLite2-City.mmdb"
+          target => "[source][geo]"
+        }
+        geoip {
+          default_database_type => 'ASN'
+          database => "/etc/logstash/GeoLite2-ASN.mmdb"
+          #cache_size => 5000
+          source => "[source][ip]"
+          target => "[source][as]"
+        }
+        mutate {
+          rename => { "[source][as][asn]" => "[source][as][number]"}
+          rename => { "[source][as][as_org]" => "[source][as][organization][name]"}
+        }
+      }
+    }
+    if [destination][ip] {
+  		# Check if destination.ip address is private.
+  		cidr {
+  		  address => [ "%{[destination][ip]}" ]
+  		  network => [ "0.0.0.0/32", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "fc00::/7", "127.0.0.0/8", "::1/128", "169.254.0.0/16", "fe80::/10", "224.0.0.0/4", "ff00::/8", "255.255.255.255/32", "::" ]
+  		  add_field => { "[dest_locality]" => "private" }
+  		}
+  		if ![dest_locality] {
+        geoip {
+          add_tag => [ "GeoIP" ]
+          source => "[destination][ip]"
+          database => "/etc/logstash/GeoLite2-City.mmdb"
+          target => "[destination][geo]"
+        }
+        geoip {
+          default_database_type => 'ASN'
+          database => "/etc/logstash/GeoLite2-ASN.mmdb"
+          #cache_size => 5000
+          source => "[destination][ip]"
+          target => "[destination][as]"
+        }
+        mutate {
+        rename => { "[destination][as][asn]" => "[destination][as][number]"}
+            rename => { "[destination][as][as_org]" => "[destination][as][organization][name]"}
+        }
+  	  }
+	}
+    mutate {
+	    add_field => { "[event][module]" => "suricata"}
+	    add_field => { "[event][dataset]" => "suricata"}
+	    rename => { "[message]" => "[event][original]"}
+    }
+  }
+}