Hi @ms
Yes it does, and in fact I initially was using the remote syslog capability in ipfire to send to logstash. I configured suricata to dump into syslog and shipped it all to logstash using the inbuilt remote syslog capability.
The problem with this however is apparently the sysklogd being used does not support TLS, which means the logs are being sent in plain text, and also there is no authentication being done at logstash you have to leave it wide open so any john doe can start flooding you with fake logs unless you restrict by IP etc.
By using filebeat we can leverage a TLS connection to logstash which both encrypts the logs, and provides auth as only the cert I give to filebeat is allowed to send data to my logstash.