Skip to content



Suricata is a free and open source, mature, fast and robust network threat detection engine. Suricata inspects the network traffic using a powerful and extensive rules and signature language, and has powerful Lua scripting support for detection of complex threats.

Event Categories

The following table lists the data source offered by this integration.

Data Source Description
Network device logs The multiple kinds of logs offered by suricata provide a good overview of the network activity
Network intrusion detection system The alert logs give information about events that matched a rule in the NIDS
Network protocol analysis The multiple kind of logs offered by suricata offer a good overview of the network activity
Web logs Suricata http.log provides many web information like the connected client, the requested resource or even the user agent
DNS records If enabled Suricata can log DNS queries and answers
SSL/TLS certificates If enabled Suricata may log information about the TLS certificates


Suricata leverages its EVE output module to report alerts, metadata, file info and protocol records in JSON. As described in the official documentation, this module can report its findings through the syslog facility.

Configure Suricata to forward events to rsyslog

Open the Suricata configuration file (please note that the path to the configuration file may change depending on the OS and your configuration):

sudo vim /etc/suricata/suricata.yaml

Paste the following declaration in your suricata configuration to trigger the production of syslog entries under the local5 facility:

  - eve-log:
      enabled: yes
      identity: suricata
      facility: local5
      level: Info
        - alert
        - http
        - dns
        - tls

Configure the Rsyslog server

Given this Suricata configuration, your local rsyslog server will handle produced records. Please consult the Rsyslog Transport documentation to forward these logs to

Further Readings