No data in suricata

[MCLaesser]

Hello
First I would like to thank you for your great job creating pfelk. I'm using it since one week with docker and it's just great!

I already have a bunch of logs but the logs from suricata are missing. I enabled suricata according your instructions for opensense but my pfelk-suricata-2021.07 indices only shows 20 entries. I tried everything but my suricata alert tab in opensense also stays empty. Could you please give me some advise how to setup suricata properly? I would be very interested to know what attacks I get on my WAN Interface of my opensense firewall.

Many thanks for your help.

Greetings Manuel

[a3ilson]

Below is my setup minus the"Download" and "Rules" tab within Services>>Intrusion Detection>>Administration which will be unique based on your desired ruleset.

[MCLaesser]

Hello Andrew
Many thank for your answer and your great work. My config is slightly different and I configured port 5140 according to your Configuration instruction instead of 5040. I also have only one rule for all application.

I didn't select any Applications so all applications should send there log to pfelk, right? I think there is more a general problem in running suricata on my opnsense box unfortunately.

Regards Manuel

[MCLaesser]

I'm sorry 5040 is tcp and 5140 is udp. I'm using udp for all logs but also tried tcp with port 5040. I guess my suricata is not running properly on opnsense. Don't know why.

Greetings Manuel

[a3ilson]

What type of network? home? office or commercial? Next, what interfaces do you have selected?

I only have my internal interfaces selected as I do not care about my wan unless those packets of badness make it through. I am guessing that since you are not seeing much activity within OPNsense or pfELK that those packets of badness just haven't been observed yet. The absence of badness is totally fine but I agree, it would be nice to confirm it is working.

So here are a few options:

• Generate some bad packets and confirm if it is working
• Write a simple rule for let's say ping, apply and test out

[MCLaesser]

Hello Andrew
Thank you for your patient. Yesterday I went through the suricata documentation. It seems, that I managed it to activate suricata on LAN. I made a test with curl after downloading and activating ET Open ruleset an I got a first error in pfelk. So I'm very happy.

Thank you very much for your help and work! It's just amazing what you did!

Greetings Manuel

p.s. looking forward to your openvpn dashboard ;-)