====== Suricata-EVE-Unixsocket ======

This article provides instructions for installing Suricata-Eve-Unixsocket app in Trisul Network Analytics. The Suricata-Eve app allows you to integrate Suricata IDS alerts into Trisul metrics framework.

{{:tips:suricataapp.png?400|}}

===== Installation =====
==== 1. Installing Suricata App ====

  * You can install the app by logging in as admin and selecting //Web Admin > Manage > Apps > Suricata via Eve Unixsocket//.

{{:tips:suricata-app-admin.png?600|}}

==== 2. Installing Suricata version 5.0 ====
Please install Suricata by running the following command,

<code>
add-apt-repository ppa:oisf/suricata-stable
sudo apt-get update
apt-get install suricata
</code>


==== 3. Updating with latest ruleset ====

Use the following command to update the latest emerging-threats ruleset

<code>sudo suricata-update</code>

suricata-update puts the combined rules in ''/var/lib/suricata/rules'' which is owned by root. Make sure the trisul user can read this directory.

<code>sudo chown trisul.trisul /var/lib/suricata -R </code>


==== 4. Enabling EVE_unix Socket ====


  * locate the 'Outputs' section in ///etc/suricata/suricata.yaml// enable EVE logging as shown below.

<code># Extensible Event Format (nicknamed EVE) event log in JSON format
  - eve-log:
      enabled: yes
      filetype: unix_dgram  #regular| 
      filename: suricata_eve.socket
</code>
<note>The Filename is 'suricata_eve.socket' is the name of the Unix Datagram socket file that Trisul will listen to later.</note>
      

==== 5. Starting Suricata ====
  * Login as Admin and Select Admin Tasks.
  * Click on 'More options' dropbox at the end of probe0.
  * You will find a Dialog box with command line to install Suricata as below.
  * Cut and paste the command shown into a terminal to start suricata 

<code>sudo suricata --user trisul -l /usr/local/var/lib/trisul-probe/domain0/probe0/context0/run -c /etc/suricata/suricata.yaml -i ens33 -D
</code>

{{:app:suricata.png?600|}}
{{:app:how_to_start_suricata.png?600|}}

==== 6. Viewing Alerts ====


{{:tips:suricata-alert.png?600|}}

==== 7. Starting Suricata Automatically ====

  * You need to install [[monit:monitoring_and_maintain_trisul_process|monit]] to enable this feature.

  * Add a shellscript named //start-suricata.sh// in ///usr/local/etc/trisul-probe///

<code>
#!/bin/bash

echo "Removing PID file"
/bin/rm -f /var/run/suricata.pid

echo "Starting suricata"
/usr/bin/suricata --user trisul -l /usr/local/var/lib/trisul-probe/domain0/probe0/context0/run -c /etc/suricata/suricata.yaml -i ens18 -D

echo "Done starting suricata"</code>

  * Make sure the shell script //start-suricata.sh// is executable. It can be done by
<code>chmod +x start-suricata.sh</code>

  * You need to add the following statements in the ///etc/monit/monitrc file//.
<code>check process suricata with pidfile /var/run/suricata.pid
  start program = "/usr/local/etc/trisul-probe/start-suricata.sh"
</code>

  * Please ensure you restart monit
<code>systemctl restart monit</code>