# Integrate Suricata with Coralogix using OpenTelemetry

This guide explains how to integrate Suricata with Coralogix using the OpenTelemetry Collector. It leverages the flexibility and vendor-agnostic design of OpenTelemetry for observability pipelines.

## Prerequisites

Before you begin, make sure you have the following:

- Suricata installed and configured
- OpenTelemetry Collector [installed](https://coralogix.com/docs/opentelemetry/getting-started/index.md)

## Install Suricata

### Debian/Ubuntu

```text
sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt update
sudo apt install suricata -y
```

### CentOS/RHEL

```text
sudo yum install epel-release -y
sudo yum install suricata -y
```

## Configure Suricata

Ensure Suricata writes logs in EVE JSON format, typically to:

/var/log/suricata/eve.json

The configuration file is located at:

/etc/suricata/suricata.yaml

Update the outputs section in suricata.yaml:

```text
outputs:
  - fast:
      enabled: yes
      filename: /var/log/suricata/eve.json
      append: yes
      filetype: json
      types:
        - alert
        - dns
        - flow
        - stats
```

## Install OpenTelemetry

See the GitHub documentation for installation details: <https://github.com/coralogix/snowbit-integrations/tree/master/SIEM%20%26%20SaaS/OS%20Logs/Linux>

## OpenTelemetry Collector configuration

Save the following configuration as /etc/otelcol-contrib/config.yaml:

```text
receivers:
  filelog:
    start_at: beginning
    include:
      - /var/log/suricata/eve.json
    operators:
      - type: json_parser
        id: suricata_json_parser
        parse_from: body
      - type: filter
        id: suricata_alert_filter
        expr: 'body.event_type == "alert"'

exporters:
  coralogix:
    domain: "coralogix.com"
    private_key: "<your-send-data-key>"
    application_name: "suricata"
    subsystem_name: "suricata"
    timeout: 30s

service:
  pipelines:
    logs:
      receivers: [ filelog ]
      exporters: [ coralogix ]
```

Note: Replace `<your-send-data-key>` with your actual Coralogix private key.

## Run the OpenTelemetry Collector

To start the OpenTelemetry Collector with your configuration:

```text
otelcol-contrib --config otel-collector-config.yaml
```

To restart the service if needed:

```text
sudo systemctl restart otelcol-contrib
```

Default configuration path: /etc/otelcol-contrib/config.yaml

## Run Suricata in PCAP mode

```text
sudo suricata -i eth1 -c /etc/suricata/suricata.yaml -v
```

## Configure AWS traffic mirroring

### Create a traffic mirror target

Define where mirrored traffic will be sent (the ENI of the Suricata instance).

1. Go to VPC > Traffic Mirroring > Mirror Targets
1. Click Create traffic mirror target
1. Select the network interface of your Suricata EC2 instance
1. Provide a name and description

### Create a traffic mirror filter

Specify the type of traffic to mirror (for example, TCP, UDP, or all).

1. Go to Mirror Filters and click Create filter
1. Add inbound and outbound rules:
1. Protocol: All or specify (TCP, UDP, etc.)
1. Port range: Optional
1. CIDR blocks: 0.0.0.0/0 to capture all, or restrict

### Create a traffic mirror session

Link the source instances to the Suricata target using the filter.

1. Go to Mirror Sessions and click Create session
1. Configure the following:
1. Source: The ENI of the monitored EC2 instance
1. Target: The mirror target created earlier
1. Filter: The mirror filter created earlier
1. Session Number: Priority if multiple sessions exist
1. Packet Length: Maximum bytes per packet (default: 100)

## Verify Suricata is receiving traffic

Once the session is active:

- SSH into the Suricata instance
- Check interface activity:

```text
sudo tcpdump -i eth1
```

- Verify the correct network interface:

```text
ip addr
```

- Check Suricata logs under /var/log/suricata/ to confirm traffic detection

## Completion

If all steps are followed, you should now be receiving Suricata logs in Coralogix.

## Best practices

- Security groups: Allow inbound traffic on Suricata’s listening interface (note: SGs may not apply to mirrored traffic)
- Performance: Use Nitro-based instance types (c5, m5) for high throughput
- Storage: Ensure adequate EBS storage for logs and packet data
- Monitoring: Configure CloudWatch or an external logging system for long-term monitoring and alerting

## Limitations

- Mirrored traffic is read-only—Suricata cannot respond or modify packets
- Cross-region mirroring is not supported
- Traffic mirroring works only with Nitro-based instances for both source and target