The Suricata network security monitor converts network
traffic into a stream of metadata events and provides a rule matching engine to
generate alerts. Suricata emits events in the EVE JSON format. The
output is a single stream of events where the event_type field disambiguates
the event type.
Tenzir's json can handle EVE JSON correctly, but for the schema
names to match the value from the event_type field, you need to pass the
option --selector=event_type:suricata. The suricata parser does this by
default.
Instead of writing to a file, Suricata can also log to a UNIX domain socket that
Tenzir can then read from. This saves a filesystem round-trip. This requires the
following settings in your suricata.yaml:
Suricata creates eve.sock upon startup. Thereafter, you can read from the
socket via netcat: