VOOZH about

URL: https://www.digitalocean.com/community/tutorials/how-to-build-a-siem-with-suricata-and-elastic-stack-on-ubuntu-20-04

⇱ How To Build A SIEM with Suricata and Elastic Stack on Ubuntu 20.04 | DigitalOcean

How To Build A SIEM with Suricata and Elastic Stack on Ubuntu 20.04

Published on January 14, 2022
Not using Ubuntu 20.04?
Choose a different version or distribution.
Ubuntu 20.04
👁 How To Build A SIEM with Suricata and Elastic Stack on Ubuntu 20.04

Introduction

The previous tutorials in this series guided you through installing, configuring, and running Suricata as an Intrusion Detection (IDS) and Intrusion Prevention (IPS) system. You also learned about Suricata rules and how to create your own.

In this tutorial you will explore how to integrate Suricata with Elasticsearch, Kibana, and Filebeat to begin creating your own Security Information and Event Management (SIEM) tool using the Elastic stack and Ubuntu 20.04. SIEM tools are used to collect, aggregate, store, and analyze event data to search for security threats and suspicious activity on your networks and servers.

The components that you will use to build your own SIEM tool are:

  • Elasticsearch to store, index, correlate, and search the security events that come from your Suricata server.
  • Kibana to display and navigate around the security event logs that are stored in Elasticsearch.
  • Filebeat to parse Suricata’s eve.json log file and send each event to Elasticsearch for processing.
  • Suricata to scan your network traffic for suspicious events, and either log or drop invalid packets.

First you’ll install and configure Elasticsearch and Kibana with some specific authentication settings. Then you’ll add Filebeat to your Suricata system to send its eve.json logs to Elasticsearch.

Finally, you’ll learn how to connect to Kibana using SSH and your web browser, and then load and interact with Kibana dashboards that show Suricata’s events and alerts.

Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.

Learn more about our products

Tutorial Series: Securing Your Network with Suricata

Suricata is a flexible, high performance Network Security Monitoring (NSM) tool that can detect and block attacks against your network.

This series will explore how to install Suricata on various operating systems, how to understand and write your own signatures to detect malicious or unknown traffic, and how to configure Suricata in both Intrusion Detection (IDS) and Intrusion Prevention (IPS) modes.

Once you have Suricata configured and running on your network, you’ll learn how to build your own Security Information and Event Management (SIEM) tool on top of the data that Suricata collects.

Still looking for an answer?

Was this helpful?

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

👁 Creative Commons
This work is licensed under a Creative Commons Attribution-NonCommercial- ShareAlike 4.0 International License.

  • Deploy on DigitalOcean

    Click below to sign up for DigitalOcean's virtual machines, Databases, and AIML products.

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Resources for startups and AI-native businesses

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Start building today

From GPU-powered inference and Kubernetes to managed databases and storage, get everything you need to build, scale, and deploy intelligent applications.

© 2026 DigitalOcean, LLC.Sitemap.
Dark mode is coming soon.