In many cases the FMADIO system sits at the edge of the network. Where the device is primairly a decode analysis edge device that sends the processed data to a central location. Example configuration is shown below.
In the above example there are 3 FAMDIO devices processing the raw captured data, sending the logs to a single Security LXC instance where the database and Grafana are located.
This can be setup easily using the following configuration
Step 1) Create config file
In the LXC Security container on the FMADIO device go to the directory
/opt/fmadio/app/suricata/etc/Create or Edit a file named
logger.luaStep 2) Set remote details
Edit the file by, adjusting the IP address, username, password based on your environment
local Config = {}
Config.CHHost = "127.0.0.1"
Config.CHUser = "default"
Config.CHPass = "secret"
return ConfigStep 3) Wait for data
Once updated, the system should automatically use the new config file.
Debugging
Check the system log file for errors
Syslog
journalctl -f -u fmadio-logger.serviceThis will print out the log file
Restart logger
Try restarting the logger process with below
systemctl restart fmadio-logger.serviceWatch the above journalctl output