Integrate Suricata with Coralogix using OpenTelemetry
This guide explains how to integrate Suricata with Coralogix using the OpenTelemetry Collector. It leverages the flexibility and vendor-agnostic design of OpenTelemetry for observability pipelines.
Prerequisites
Before you begin, make sure you have the following:
- Suricata installed and configured
- OpenTelemetry Collector installed
Install Suricata
Debian/Ubuntu
CentOS/RHEL
Configure Suricata
Ensure Suricata writes logs in EVE JSON format, typically to:
/var/log/suricata/eve.json
The configuration file is located at:
/etc/suricata/suricata.yaml
Update the outputs section in suricata.yaml:
outputs:
- fast:
enabled: yes
filename: /var/log/suricata/eve.json
append: yes
filetype: json
types:
- alert
- dns
- flow
- stats
Install OpenTelemetry
See the GitHub documentation for installation details: https://github.com/coralogix/snowbit-integrations/tree/master/SIEM%20%26%20SaaS/OS%20Logs/Linux
OpenTelemetry Collector configuration
Save the following configuration as /etc/otelcol-contrib/config.yaml:
receivers:
filelog:
start_at: beginning
include:
- /var/log/suricata/eve.json
operators:
- type: json_parser
id: suricata_json_parser
parse_from: body
- type: filter
id: suricata_alert_filter
expr: 'body.event_type == "alert"'
exporters:
coralogix:
domain: "coralogix.com"
private_key: "<your-send-data-key>"
application_name: "suricata"
subsystem_name: "suricata"
timeout: 30s
service:
pipelines:
logs:
receivers: [ filelog ]
exporters: [ coralogix ]
Note: Replace <your-send-data-key> with your actual Coralogix private key.
Run the OpenTelemetry Collector
To start the OpenTelemetry Collector with your configuration:
To restart the service if needed:
Default configuration path: /etc/otelcol-contrib/config.yaml
Run Suricata in PCAP mode
Configure AWS traffic mirroring
Create a traffic mirror target
Define where mirrored traffic will be sent (the ENI of the Suricata instance).
- Go to VPC > Traffic Mirroring > Mirror Targets
- Click Create traffic mirror target
- Select the network interface of your Suricata EC2 instance
- Provide a name and description
Create a traffic mirror filter
Specify the type of traffic to mirror (for example, TCP, UDP, or all).
- Go to Mirror Filters and click Create filter
Add inbound and outbound rules:
Protocol: All or specify (TCP, UDP, etc.)
- Port range: Optional
- CIDR blocks: 0.0.0.0/0 to capture all, or restrict
Create a traffic mirror session
Link the source instances to the Suricata target using the filter.
- Go to Mirror Sessions and click Create session
Configure the following:
Source: The ENI of the monitored EC2 instance
- Target: The mirror target created earlier
- Filter: The mirror filter created earlier
- Session Number: Priority if multiple sessions exist
- Packet Length: Maximum bytes per packet (default: 100)
Verify Suricata is receiving traffic
Once the session is active:
- SSH into the Suricata instance
- Check interface activity:
- Verify the correct network interface:
- Check Suricata logs under /var/log/suricata/ to confirm traffic detection
Completion
If all steps are followed, you should now be receiving Suricata logs in Coralogix.
Best practices
- Security groups: Allow inbound traffic on Suricata’s listening interface (note: SGs may not apply to mirrored traffic)
- Performance: Use Nitro-based instance types (c5, m5) for high throughput
- Storage: Ensure adequate EBS storage for logs and packet data
- Monitoring: Configure CloudWatch or an external logging system for long-term monitoring and alerting
Limitations
- Mirrored traffic is read-only—Suricata cannot respond or modify packets
- Cross-region mirroring is not supported
- Traffic mirroring works only with Nitro-based instances for both source and target