Observing Suricata EVE Logs

Start observing, protecting, and adapting your network with Suricata to monitor, analyze, and detect network threats in real time.

Suricata

Suricata is a high performance, open source network analysis and threat detection software used by most private and public organizations, and embedded by major vendors to protect their assets.

Suricata generates structured EVE logs collected to Wazuh, enabling centralized detection, correlation, and analysis of network security events.

Requirements (Suricata host):

  • Ubuntu 16.04–24.04 (64-bit)
  • x86_64/ARM64
  • Root privileges
  • Active network interface with AF-Packet
  • CPU 4vCPU, RAM 8GB, Storage 50GB

Install Suricata:

1
2
3
4
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt-get update
sudo apt-get install suricata jq

Configure Suricata:

1
sudo nano /etc/suricata/suricata.yaml
1
2
3
4
5
6
7
8
9
10
11
12
HOME_NET: "<IP_UBUNTU>"
EXTERNAL_NET: "any"

default-rule-path: /etc/suricata/rules
rule-files:
  - "*.rules"

stats:
  enabled: yes

af-packet:
  - interface: enp0s3

Replace <UBUNTU_IP> with your system’s IP address and adjust the interface name enp0s3 to match your environment.

1
sudo systemctl restart suricata

Suricata Rules:

1
2
cd /tmp/
curl -LO https://rules.emergingthreats.net/open/suricata-8.0.1/emerging.rules.tar.gz
1
2
3
4
sudo tar -xvzf emerging.rules.tar.gz
sudo mkdir /etc/suricata/rules
sudo mv rules/*.rules /etc/suricata/rules/
sudo chmod 777 /etc/suricata/rules/*.rules

Verify Suricata Live Check:

1
sudo systemctl status suricata
1
tail -f /var/log/suricata/eve.json | jq .

Requirements (Wazuh agent):

  • Ubuntu/Debian Linux (64-bit)
  • Root privileges
  • Network connectivity to Wazuh server
  • Wazuh agent installed and enrolled
  • Read access to /var/log/suricata/eve.json

Connect to Wazuh:

1
sudo nano /var/ossec/etc/ossec.conf
1
2
3
4
<localfile>
  <log_format>json</log_format>
  <location>/var/log/suricata/eve.json</location>
</localfile>
1
sudo systemctl restart wazuh-agent

Verify Suricata EVE Collection:

1
ping -c 20 "<IP_UBUNTU>"
  • Log in to Wazuh Dashboard
  • Open Threat Hunting rule.groups:suricata

Suricata alerts are collected into Wazuh, giving security teams centralized insight and the ability to monitor, analyze, and respond to security threats.

Wazuh - Open Source XDR. Open Source SIEM
#wazuh #xdr #siem #suricata #ids #ips
Observing Suricata EVE Logs
https://1337rokudenashi.github.io/6f1a9d2b-4c3f-4b9a-8f5d-1a2b3c4d5e6f/
Author
1337rokudenashi
Posted on
October 31, 2025
Licensed under