Send Suricata logs on Pfsense to Graylog

John Wheeler
9 min readApr 29, 2024
Suricata EVE Logs on Graylog

Rumors of the death of intrusion detection and intrusion prevention are greatly exaggerated. My first experience with intrusion detection and prevention was around 2005 with Juniper devices. I recall the difficulty in setting the devices up, adding network taps, applying rules, removing false positives. It was a full time job. In 2005 TLS 1.0 had recently been introduced and was widely used (Now depricated), however, many sites lacked any encryption and the vast majority of traffic was unencrypted and could be inspected with deep packet inspection. Fast forward to today and you are chided by your browser if you navigate to an unencrypted site and almost all sites are encrypted.

Why use Suricata?

Thought much of the traffic on a network now is encrypted, Suricata can alert you to things that shouldn’t happen like unusual traffic patterns and protocols or connections to known bad hosts. Suricata can also alert you to a device on your own private network that is attempting to communicate to a known bad destination.

https://xkcd.com/742/

No security solution is a panacea and practicing defense in depth ensures that you don’t rely exclusively on any one control. Though my…

--

--

John Wheeler

Security professional, Mac enthusiast, writing code when I have to.