Skip to main content

Suricata

The Suricata Matano managed log source lets you ingest your Suricata IDS/IPS/NSM logs. It parses logs that are in the Suricata Eve JSON format.

Usage

Use the managed log source by specifying the managed.type property in your log_source as SURICATA.

name: "suricata"

managed:
type: "SURICATA"

Then create tables for each of the Suricata logs you want to ingest. For example, if you want to ingest Suricata Eve logs, create table files like so:

my-matano-dir/
└── log_sources/
└── suricata/
└── log_source.yml
└── tables/
└── eve.yml
└── ...
# log_sources/suricata/tables/eve.yml
name: "eve"

For a complete reference on configuring log sources, including extending the table schema, see Log source configuration.

Tables

The Suricata managed log source supports the following tables:

  • eve

Ingest

S3 (default)

For a log source named suricata, a file under the path suricata/afe3c55a-8b05-4ac7-be76-b6fda08af95d/alerts.log will be routed to the eve table.

S3 Path scheme to table:

  • * (all) -> eve

Schema

Suricata data is normalized to ECS fields. You can view the complete mappings to see the full schemas.