Forward Zeek and Suricata Events to Google Chronicle

[oorozcoo]

Hello there,
Anyone has some guidence on how can I forward the Suricata and Zeek logs to Google Chronicle?
I tried this https://docs.securityonion.net/en/latest/logstash.html#original-event-forwarding and this https://docs.securityonion.net/en/latest/logstash.html#modified-event-forwarding but I have not been lucky.

Specifically I need to send the raw logs such http.log, dns.log, connection.log and others.

Also, I would like to ingest the alerts generated in Security Onion and see the message of Suricata into Chronicle.

Thank you in advance.

[dougburks]

We are working on an integration with Google Chronicle but we don't have any additional details to share at this time.

[oorozcoo]

For those who are interested on how to send Suricata events to Google Chronicle, please go through the following workaround.
Note: These steps were only tested on an on-prem deployment

Pre requisites

• Deploy a GSO Forwarder: https://cloud.google.com/chronicle/docs/install/install-forwarder
• Create and configure the forwarder in the GSO Console.
  • Add new collector configuration.
  • Select Suricata EVE as a Log Type
  • Select Syslog as Collector Type
  • Preferable use UDP as Protocol
  • Set the forwarder IP and the desired port.
  • Save
• Export the configuration files <Collector name>_config.conf and <Collector name>_config_auth.conf
• Import the files and start running the forwarder: https://cloud.google.com/chronicle/docs/install/install-forwarder#installforwarder

Security Onion Configuration

• Login via SSH and create a new file on /opt/so/saltstack/local/salt/logstash/pipelines/config/custom/
  • i.e sudo vim /opt/so/saltstack/local/salt/logstash/pipelines/config/custom/suricata.conf
• Paste the following content on the file, please be sure to replace the specific fields with your specified data

filter {
  json {
    source => "message"
  }
}
output {
  if [event][module] == "suricata" {
    udp {
      id => "OPTIONAL CUSTOM ID"
      host => "YOUR FORWARDER IP ADDRESS"
      port => YOUR FORWARDER PORT
      codec => "json"
    }
  }
}

• In Security Onion Console (SOC), navigate to Administration –> Configuration. At the top of the page, click the Options menu and then enable the Show advanced settings option. Then navigate to logstash –> defined_pipelines –> manager and append the name of your newly created file to the list of config files used for the manager pipeline
  • i.e custom/suricata.conf
• The configuration will be applied at the next 15-minute interval or you can apply it immediately by clicking the SYNCHRONIZE GRID button under the Options menu.
• Go to your GSO and start hunting.

Coffee is appreciated