Use Snort 3 log in Opensearch

OpenSearch 2.9.0
Dashboard 2.9.0
Ubuntu 22.04

Hi everyone,

I’ve installed Snort 3 as an IPS on my Ubuntu machine and now, I would want to use OpenSearch as a SIEM. I’ve downloaded OpenSearch and Dashboard, there are now running in a minimum configuration (I can access from a distant machine) but there is no data to see.
It’s here that I have some trouble. I am a little bit lost in the configuration of OpenSearch. Snort 3 is writing alerts logs in several files. I would want that Opensearch takes those log files and analyse them in real time to do data visualisation and to generate statistics, email notifications…

I understood that I need plugins like opensearch-observability to generate notifications, alerts, etc… from data. But to pass this data (snort logs) to opensearch, do I need a plugin too ? How can I do to see my snort logs in Opensearch dashboard ?

Thank you for your help

You need an ingestion tool to ingest all of the logs into OpenSearch, there are so many tools can be used, such as Fluent-bit, Logstash, Filebeat, Data-prepper etc. See this page about how to use Fluent-bit: OpenSearch - Fluent Bit: Official Manual.

Thanks a lot ! I’m going to see that right now

Hi !
So I try the installation with Logstash to ingest snort’s logs but I encounter some configuration issues.
I installed OpenSearch and OpenSearch Dashboard by following this guide :
I installed Logstach from the OpenSearch website ( so with the plugin opensearch-outpput integrate.

Logstash work in a minimum configuration. For example with the argument “-e input { stdin {} } output { stdout {} }” it’s working. It’s also working when I put log files in input. The problem come when I try to configure the output to Opensearch.

I first tried with the following configuration :slight_smile:

output {
  opensearch {
    hosts => [""]
    user => "admin"
    password => "xxxxx"
    index => "logstash-logs"

But I got an error wich seams to indicate there is a certificate problem :

[2023-07-28T10:12:29,086][WARN ][logstash.outputs.opensearch][main] Attempted to resurrect connection to dead OpenSearch instance, but got an error {:url=>"https://admin:xxxxxx@", :exception=>LogStash::Outputs::OpenSearch::HttpClient::Pool::HostUnreachableError, :message=>"OpenSearch Unreachable: [https://admin:xxxxxx@][Manticore::ClientProtocolException] PKIX path building failed: unable to find valid certification path to requested target"}

During the OpenSearch installation, I created differents certificates so I tried different combination with lines about certificate :

ssl => true/false
ssl_certificate_verification => true/false
cacert => "path/to/the/admin/certificate/created/during/the/opensearch/installation/.crt"

But none of them works (maybe I just missed the one which is working…).
Given the installation I’ve made, what should by the configuration that I need in my logstash pipeline ?

Here are some info about my installation :
hostname : snort3
fqdn : snort3.hwdomain.lan
IP :

Please tell me if you need more informations to answer to my question.
Thanks for your help !

You can add the following settings to the output.opensearch section of your logstash config file:

ssl => true
ssl_certificate_verification => false

, this will disable ssl certificate verification.

Thank you, it does remove the certificate error. But since we don’t use certificate verification, does that mean the seurity of the installation is impacted ?

Yes, the security will be impacted, but maybe not a big issue if logstash and OpenSearch are in the same private network.

Ok great it’s the case in my environnement.
Thank you for your help