vast import suricata

Synopsis


usage: import suricata [<parameters>]

imports suricata eve json

parameters:
  [-h | -? | --help] <boolean>   prints the help text
  [--documentation?] <boolean>   prints the Markdown-formatted documentation
  [-l | --listen] <string>       the port number to listen on
  [-r | --read] <string>         path to input where to read events from
  [-s | --schema-file] <string>  path to alternate schema
  [-S | --schema] <string>       alternate schema as string
  [-t | --type] <string>         type the data should be parsed as
  [-d | --uds] <boolean>         treat -r as listening UNIX domain socket

Documentation

The suricata import format consumes EVE JSON logs from Suricata. EVE is output is Suricata’s unified format to log all types of activity as single stream of line-delimited JSON.

For each log entry, VAST parses the field event_type to determine the specific record type and then parses the data according to the known schema.

vast import suricata < eve.log