To successfully parse Suricata JSON logs via syslog collector we need to use LUA parser in NetWitness Log Decoder.
Suricata LUA parser in this example is mapping only specific fields from JSON logs to metakeys. In case additional metakeys needs to be mapped then modification of LUA parser is needed and additional "custom" metakeys needs to be added to Concentrator index file.
Process of deploying attached files is following:
- Load XML parser to your Log Decoder using RSA Live > Deploy
- Load json.lua and suricata.lua parser to your Log Decoder
- You can copy json.lua to /etc/netwitness/ng/parsers to your Log Decoder
- You can using upload option in parser tab in your Log Decoder to upload suricata.lua parser
- Add custom metakeys to index-concentrator-custom.xml to your Concentrator(s)
- Create parser mapping for your parser
- Restart Log Decoder and Concentrator services
RAW reconstruction of event log
Meta Reconstruction of event log
Big thanks to Helmut Wahrmann who helped me developed first JSON lua parser for NW.