Moving the Suricata module from its temporary repo to Filebeats

x-pack/filebeat/module/suricata/README.md

@@ -0,0 +1,60 @@
+# Suricata module
+
+Shove the content of this repo under `filebeats/module/suricata` for testing,
+until Filebeats supports loading modules from `x-pack/filebeats/module`
+(issue [beats#7524](https://github.com/elastic/beats/issues/7524)).
+
+## Caveats with this preliminary version
+
+* Dashboards, visualizations and saved searches are trivial at this time.
+* Original Suricata event shoved as is `suricata.eve.`
+* Due to limitations in Ingest Node field copying, all events have `ecs.user_agent`.
+  Events that actually have user agent information are missing the `ecs.user_agent.raw`,
+  and all of their ua fields have the value "Other". Disregard those.
+* GeoIP is done twice. Once on ECS fields and once on original fields, saving back
+  under original object (in order to have usable geo\_points).
+* ECS
+  * ECS fields nested under `ecs.` instead of being at the top level,
+    to avoid clashes during development.
+  * ECS fields are not set in the index template (and so are simply detected by ElasticSearch),
+    singe beats modules can only configure fields under their own section
+    (in this case `suricata.eve.*`)
+
+## How to try the module
+
+Copy this full repo at `beats/filebeat/module/suricata`.
+
+Set up the module (you may have to delete your Filebeat index template first).
+
+```
+cd filebeat
+make update
+./filebeat setup --modules=suricata -e -d "*" -c your/filebeat.yml -E 'setup.dashboards.directory=_meta/kibana'
+```
+
+Install Suricata
+
+```
+brew install suricata --with-jansson
+```
+
+Configure it to generate the EVE JSON log. Edit `/usr/local/etc/suricata/suricata.yaml` and set
+
+```
+- eve-log:
+    enabled: yes
+```
+
+Start Suricata
+
+```
+sudo suricata -i en0 # optionally more -i en1 -i en2...
+```
+
+Start the Suricata Filebeat module
+
+```
+./filebeat --modules=suricata -e -d "*" -c your/filebeat.yml
+```
+
+You can look for the Suricata saved searches and dashboards in Kibana.

x-pack/filebeat/module/suricata/_meta/config.yml

@@ -0,0 +1,8 @@
+- module: suricata
+  # All logs
+  eve:
+    enabled: true
+
+    # Set custom paths for the log files. If left empty,
+    # Filebeat will choose the paths depending on your OS.
+    #var.paths:

x-pack/filebeat/module/suricata/_meta/docs.asciidoc

@@ -0,0 +1,42 @@
+:modulename: suricata
+
+== suricata module
+
+This is the suricata module.
+
+include::../include/what-happens.asciidoc[]
+
+[float]
+=== Compatibility
+
+This module requires the
+{elasticsearch-plugins}/ingest-geoip.html[ingest-geoip] Elasticsearch plugin.
+
+This module has been developed against Suricata v4.0.4, but is expected to work with other versions of Suricata.
+
+
+include::../include/running-modules.asciidoc[]
+
+[float]
+=== Example dashboard
+
+This module comes with a sample dashboard. For example:
+
+TODO: include an image of a sample dashboard
+
+include::../include/configuring-intro.asciidoc[]
+
+TODO: provide an example configuration
+
+:fileset_ex: {fileset}
+
+include::../include/config-option-intro.asciidoc[]
+
+TODO: document the variables from each fileset. If you're describing a variable
+that's common to other modules, you can reuse shared descriptions by including
+the relevant file. For example:
+
+[float]
+==== `{fileset}` log fileset settings
+
+include::../include/var-paths.asciidoc[]

x-pack/filebeat/module/suricata/_meta/fields.yml

@@ -0,0 +1,10 @@
+- key: suricata
+  title: Suricata
+  description: >
+    Module for handling the EVE JSON logs produced by Suricata.
+  fields:
+    - name: suricata
+      type: group
+      description: >
+        Fields from the Suricata EVE log file.
+      fields: