{ "name": "snort", "title": "Snort", "version": "1.21.2", "release": "ga", "description": "Collect logs from Snort with Elastic Agent.", "type": "integration", "download": "/epr/snort/snort-1.21.2.zip", "path": "/package/snort/1.21.2", "icons": [ { "src": "/img/snort.svg", "path": "/package/snort/1.21.2/img/snort.svg", "title": "snort", "size": "120x60", "type": "image/svg+xml" } ], "conditions": { "kibana": { "version": "^8.11.0 || ^9.0.0" } }, "owner": { "type": "elastic", "github": "elastic/integration-experience" }, "categories": [ "ids_ips", "security", "network_security" ], "signature_path": "/epr/snort/snort-1.21.2.zip.sig", "format_version": "3.0.3", "readme": "/package/snort/1.21.2/docs/README.md", "license": "basic", "assets": [ "/package/snort/1.21.2/LICENSE.txt", "/package/snort/1.21.2/changelog.yml", "/package/snort/1.21.2/manifest.yml", "/package/snort/1.21.2/validation.yml", "/package/snort/1.21.2/docs/README.md", "/package/snort/1.21.2/img/snort.svg", "/package/snort/1.21.2/kibana/tags.yml", "/package/snort/1.21.2/data_stream/log/manifest.yml", "/package/snort/1.21.2/data_stream/log/sample_event.json", "/package/snort/1.21.2/docs/knowledge_base/service_info.md", "/package/snort/1.21.2/data_stream/log/fields/agent.yml", "/package/snort/1.21.2/data_stream/log/fields/base-fields.yml", "/package/snort/1.21.2/data_stream/log/fields/ecs.yml", "/package/snort/1.21.2/data_stream/log/fields/fields.yml", "/package/snort/1.21.2/data_stream/log/agent/stream/log.yml.hbs", "/package/snort/1.21.2/data_stream/log/agent/stream/udp.yml.hbs", "/package/snort/1.21.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml", "/package/snort/1.21.2/data_stream/log/elasticsearch/ingest_pipeline/json.yml", "/package/snort/1.21.2/data_stream/log/elasticsearch/ingest_pipeline/plaintext.yml" ], "policy_templates": [ { "name": "snort", "title": "Snort logs", "description": "Collect logs from Snort instances", "inputs": [ { "type": "logfile", "title": "Collect Snort logs (input: logfile)", "description": "Collecting logs from Snort instances (input: logfile)" }, { "type": "udp", "title": "Collect Snort logs (input: udp)", "description": "Collecting logs from Snort instances (input: udp)" } ], "multiple": true } ], "data_streams": [ { "type": "logs", "dataset": "snort.log", "title": "Snort", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "logfile", "vars": [ { "name": "paths", "type": "text", "title": "Paths", "multi": true, "required": true, "show_user": true, "default": [ "/var/log/snort/alert.log" ] }, { "name": "multiline_full", "type": "bool", "title": "Multi-line Alert Full logs", "description": "Enables multiline support if reading the Snort Alert Full log fomat", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "internal_networks", "type": "text", "title": "Internal Networks", "description": "The internal IP subnet(s) of the network.", "multi": true, "required": false, "show_user": true, "default": [ "private" ] }, { "name": "tz_offset", "type": "text", "title": "Timezone Offset", "description": "By default, datetimes in the logs will be interpreted as relative to the timezone configured in the host where the agent is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Acceptable timezone formats are: a canonical ID (e.g. \"Europe/Amsterdam\"), abbreviated (e.g. \"EST\") or an HH:mm differential (e.g. \"-05:00\") from UCT.", "multi": false, "required": true, "show_user": true, "default": "local" }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "snort.log" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "log.yml.hbs", "title": "Snort logs (Logfile)", "description": "Collect Snort logs using logfile input", "enabled": true, "ingestion_method": "File" }, { "input": "udp", "vars": [ { "name": "syslog_host", "type": "text", "title": "Syslog Host", "multi": false, "required": true, "show_user": true, "default": "localhost" }, { "name": "syslog_port", "type": "text", "title": "Syslog Port", "multi": false, "required": true, "show_user": true, "default": 9514 }, { "name": "internal_networks", "type": "text", "title": "Internal Networks", "description": "The internal IP subnet(s) of the network.", "multi": true, "required": false, "show_user": true, "default": [ "private" ] }, { "name": "tz_offset", "type": "text", "title": "Timezone Offset", "description": "By default, datetimes in the logs will be interpreted as relative to the timezone configured in the host where the agent is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Acceptable timezone formats are: a canonical ID (e.g. \"Europe/Amsterdam\"), abbreviated (e.g. \"EST\") or an HH:mm differential (e.g. \"-05:00\") from UCT.", "multi": false, "required": true, "show_user": true, "default": "local" }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "snort.log" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "udp_options", "type": "yaml", "title": "Custom UDP Options", "description": "Specify custom configuration options for the UDP input.", "multi": false, "required": false, "show_user": false, "default": "#read_buffer: 100MiB\n#max_message_size: 50KiB\n#timeout: 300s\n" }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "udp.yml.hbs", "title": "Snort logs (udp)", "description": "Collect Snort logs using udp input", "enabled": true, "ingestion_method": "Network Protocol" } ], "package": "snort", "path": "log" } ] }