安装filebeat

配置filebeat.yml输出

# ============================== Filebeat inputs ===============================

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /var/log/suricata/fast-*.log  # suricata告警日志
  fields:
    filename: fast

- type: log
  enabled: true
  paths:
    - /var/log/suricata/eve-*.json  # suricata所有流量日志
  fields:
    filename: eve
  json.overwrite_keys: true

······
······

# ------------------------------ Logstash Output -------------------------------
output.logstash:
  # The Logstash hosts
  #hosts: ["localhost:514"]
  hosts: ["10.10.10.1:514"]

suricata每天的eve.json日志量多大，按天保存，删除前一天的eve.json
进入/etc/cron.daily/创建一个文件suricatalog

#!/bin/sh

ls /var/log/suricata/ | grep `date -d'1 days ago' +%Y-%m-%d` | xargs -i rm -f /var/log/suricata/{}

exit 0