Unifiedbeat reads records from Unified2 binary files generated by network intrusion detection software and indexes the records in Elasticsearch. Unified2 files are created by IDS/IPS software such as Snort and Suricata.
Note: only
output unified2: ...is supported insnort.conf
In addition to using Kibana, a GoLang web app called Pakquery is also available for searching within the data indexed by unifiedbeat. Pakquery's searches use the same simple Lucene syntax as in Kibana. However, pakquery is aware of the connection between event and packet record types based on the event_id field. This means that one can click on an event record and see the complete event/packet details, or one can click on a packet record and see the complete event/packet details.
- build from source
curl -XPUT 'http://localhost:9200/_template/unifiedbeat' -d@etc/unifiedbeat.template.json- edit
unifiedbeat.yml - ./unifiedbeat -c unifiedbeat.yml