Skip to content

Suricata

Suricata is a network monitor with a rule matching engine to detect threats. Use Tenzir to acquire, process, and store Suricata logs.

EVEJSON

Examples

Section titled “Examples”

Ingest EVE JSON logs into a node

Section titled “Ingest EVE JSON logs into a node”

EVE JSON is the log format in which Suricata generates events.

A typical Suricata configuration looks like this:

suricata.yaml
outputs:
  # Extensible Event Format (nicknamed EVE) event log in JSON format
  - eve-log:
      enabled: yes
      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
      filename: eve.json

The filetype setting determines how you’d process the log file and defaults to regular.

Onboard Suricata EVE JSON logs via the read_suricata operator as follows:

from_file "/path/to/eve.json" {
  read_suricata
}
publish "suricata"

Ingest EVE JSON from a Unix domain socket

Section titled “Ingest EVE JSON from a Unix domain socket”

Suricata can also send EVE JSON to a Unix stream socket:

suricata.yaml
outputs:
  - eve-log:
      enabled: yes
      filetype: unix_stream
      filename: /run/suricata/eve.sock

Start Tenzir before Suricata so that Tenzir creates the socket and accepts the incoming stream:

accept_unix_socket "/run/suricata/eve.sock" {
  read_suricata
}
publish "suricata"

This is different from Suricata’s unix-command socket. The command socket is for JSON control commands, for example through suricatasc; it doesn’t carry EVE events.

Last updated: