Skip to main content
Version: Tenzir v4.11

Suricata

Suricata is network monitor with a rule matching engine to detect threats.

Use Tenzir to acquire, process, and store Suricata logs.

Ingest EVE JSON logs into a node

EVE JSON is the log format in which Suricata generates events.

A typical Suricata configuration looks like this:

suricata.yaml
outputs:
# Extensible Event Format (nicknamed EVE) event log in JSON format
- eve-log:
enabled: yes
filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
filename: eve.json

The filetype setting determines how you'd process the log file.

Import from a file

By default, Suricata uses the file type regular. Ingest into a node as follows:

from /path/to/eve.json read suricata
| import

Import from a Unix domain socket

If your filetype setting is unix_stream, you need to create a Unix domain socket first, e.g., like this:

nc -U -l /tmp/eve.socket

Then you can use the same pipeline as above, since Tenzir's file automatically detects the file type.