Help
FortiSIEM
FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
pjang
Staff & Editor
Staff & Editor

Created on ‎04-02-2025 11:59 PM

Article Id 386040

Technical Tip: Integrating Suricata NIDS with FortiSIEM

Description

This article describes the process of adding Suricata as a new Network Intrusion Detection System (NIDS) device to FortiSIEM 7.x so that Suricata alerts may be monitored.

 

By default, FortiSIEM supports Snort IPS: FortiSIEM External Systems Configuration Guide - Snort IPS, but it is possible to use Suricata as an alternative (Suricata being a widely-used open-source intrusion detection system).
Scope FortiSIEM, Suricata NIDS.
Solution

Configuring FortiSIEM:

  1. Add a new device by navigating to ADMIN -> Device Support -> Devices/Apps, then select New. Name the entry appropriately (e.g. 'suricata') and set the Version field to Any (log formats generally remain consistent between Suricata versions).
  2. Navigate to ADMIN -> Device Support -> Event Attributes to add new Event attributes to be used when parsing Suricata logs.
    • As a suggestion, consider adding the Event SID (generally useful for investigating Suricata alerts) and Classification attributes (for dashboard usage and visualization).
  3. Navigate to ADMIN -> Device Support -> Parsers and add a new Parser. The following is an example parser for Suricata written in XML format:

 

<!--
<patternDefinitions>
<pattern name='patHostName'><![CDATA[\S+]]></pattern>
<pattern name='patAppName'><![CDATA[\S+]]></pattern>
<pattern name='patSuricataDateTime'><![CDATA[\d{2}\/\d{2}\/\d{4}-\d{2}:\d{2}:\d{2}\.\d{6}]]></pattern>
<pattern name='patAlertId'><![CDATA[\d+]]></pattern>
<pattern name='patAlertMsg'><![CDATA[.*?]]></pattern>
<pattern name='patClassification'><![CDATA[.*?]]></pattern>
<pattern name='patPriority'><![CDATA[\[Priority: \d+\]]]></pattern>
<pattern name='patProto'><![CDATA[\w+|\w+\-\w+]]></pattern>
<pattern name='patIpAddr'><![CDATA[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}]]></pattern>
<pattern name='patPort'><![CDATA[\d+]]></pattern>
</patternDefinitions>
<eventFormatRecognizer><![CDATA[<\d+>[A-Za-z]{3}\s+\d{1,2}\s+\d{2}:\d{2}:\d{2}.*?suricata]]></eventFormatRecognizer>.
<parsingInstructions>
<collectFieldsByRegex src='$_rawmsg'>
<regex><![CDATA[<:gPatSyslogPRI>\s*<_mon:gPatMon>\s*<_day:gPatDay>\s*<_time:gPatTime>\s+<_hostname:patHostName>\s+<_app:patAppName>\s+<_suricata_date_time:patSuricataDateTime>\s*\[\*\*\]\s*\[\d+?:<_sid:patAlertId>:\d+?\]\s+<_alert_msg:patAlertMsg>\s+\[\*\*\]\s+\[Classification\:<_classification:patClassification>\]\s+<_priority:patPriority>\s+\{<_proto:patProto>\}\s+<_src_ip:patIpAddr>:<_src_port:patPort>\s+->\s+<_dest_ip:patIpAddr>:<_dest_port:patPort>]]></regex>
</collectFieldsByRegex>
<setEventAttribute attr='srcIpAddr'>$_src_ip</setEventAttribute>
<setEventAttribute attr='destIpAddr'>$_dest_ip</setEventAttribute>
<setEventAttribute attr='srcIpPort'>$_src_port</setEventAttribute>
<setEventAttribute attr='destIpPort'>$_dest_port</setEventAttribute>
<setEventAttribute attr='ipProto'>$_proto</setEventAttribute>
<setEventAttribute attr='sid'>$_sid</setEventAttribute>
<setEventAttribute attr='appName'>$_app</setEventAttribute>
<setEventAttribute attr='hostName'>$_hostname</setEventAttribute>
<setEventAttribute attr='eventDesc'>$_alert_msg</setEventAttribute>
<setEventAttribute attr='classification'>$_classification</setEventAttribute>
<setEventAttribute attr='eventType'>suricata-alert</setEventAttribute>
<setEventAttribute attr='eventName'>$_alert_msg</setEventAttribute>
</parsingInstructions>
-->

 

Configuring Suricata:

1. Configure suricata.yaml to log alerts to a specific directory. This is done so that a syslog daemon (such as rsyslogd) can monitor the directory and forward logs to the FortiSIEM Supervisor/Collector. Refer to the following Suricata external documentation for more information: https://docs.suricata.io/en/latest/configuration/suricata-yaml.html#default-logging-directory

2. Configure rsyslogd to monitor the Suricata directory and forward syslog logs to the FortiSIEM Supervisor/Collector IP address. The following is an example configuration snippet for rsyslogd, though note that a Tag was added to ensure that FortiSIEM's XML parser will correctly recognize Suricata logs:

 

input(type='imfile'

      File='/path/to/suricata_log_file'
      Tag='suricata'
      Facility='local6')


# Forward logs to remote syslog server
local6.* @<FortiSIEM_Supervisor/Collector_IP_Address>:514

 

3. As an alternative to rsyslogd, another potentially more-reliable option for forwarding Suricata alerts is to utilize the Linux Agent Log File feature for FortiSIEM: FortiSIEM Admin Guide - Configuring Linux Agent

 

Additional Note:

  • The above guidance is for monitoring alerts from Suricata. To integrate all traffic (not just alerts), monitor Suricata's eve.json file instead (/var/log/suricata/eve.json), though note that a new XML parser would need to be created.
  • Configure a new rule to create a new incident for all logs coming from fast.log. If there are many false positives then it is recommended to fine-tune from the Suricata.rules level.
555
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.