Suricata VS arkime

Linux has (free) tools to improve security and detect/remove malware: Lynis,Chkrootkit,Rkhunter,ClamAV,Vuls,LMD,radare2,Yara,ntopng,maltrail,Snort,Suricata...

Monitoring & Active Measures - Exporting firewall events to an external time-series database like I describe above is good to see who is touching your firewall or accessing your web site. Using an Intrusion Detection System / Intrusion Prevention System (IDS/IPS) such as open-source Suricata, which is a free package on pfSense, and deploying file system integrity monitoring, such as the open-source Wazuh on the exposed server are also good approaches to protecting yourself.

You could try running Suricata

Check out https://suricata.io/

Suricata: https://suricata.io/ IDS/IPS

Active Measures - Includes (IDS/IPS) such as open-source Suricata or Snort on pfSense, and File Integrity Monitoring (FIM), such as the commercial Tripwire and dated, open-source Tripwire, or the open-source Wazuh installed on servers. These can be combined into a Security Information and Event Management (SIEM) system like the open-source solution, Security Onion. Wazuh itself has evolved into a SIEM.

Active measures may include an intrusion detection system / intrusion prevention systems (IDS/IPS) such as open-source Suricata on the firewall, and installing file system integrity monitoring, such as the open-source Wazuh on the exposed server. These are combined in one open-source solution, Security Onion

Arkime: https://arkime.com/ Packet capture and search

Also consider running full PCAP collection with https://arkime.com/ so you can monitor your past network traffic. That has come in handy many times for security and troubleshooting, and doesn't require as much horsepower as you might think.

Anyone using Arkime? https://arkime.com/

dns && ip.src==x.y.z.w Note that this display filter will not display the DNS replies for the requests sent by x.y.z.w if you want those as well then it will be dns && ip.addr==x.y.z.w Although DNS will be displayed in upper case in Wireshark, it has to be in lower case in the display filter, that said, like others said based on your exact needs and the size of your resulting pcap / pcapng file you may want to look at capture filters, finally if you are dealing with multiple gegabytes file(s) you may want to take a look at another tool like Arkime (formerly moloch) https://arkime.com/

Full PCAP's? Look at https://arkime.com/ or network miner. Arkime is probably more what you're looking for. But I love network miner

I used moloch which is now https://arkime.com/. It used to be free and was a great tool for pcaps. Uses elastic underneath.

Arkime is secure, scaleable, indexed packet capture and search tool that can improve your network security by providing greater visibility. This open-source tool stores and indexes network traffic in standard PCAP format. Our thanks for the suggestion goes to Security_Chief_Odo.

I would suggest instead of graylog look into something like this https://arkime.com/