Suricata IDS/IPS Data in Graylog

Suricata IDS-IPS Data in Graylog

If you’re running Suricata to watch your network, you already know how much signal lives in its logs. Graylog provides a purpose-built way to make that signal immediately actionable. The Suricata IDS/IPS Content Pack, available with an Illuminate license and Graylog Enterprise or Graylog Security, delivers ready-to-use parsing rules, streams, GIM categorization, and a dashboard so you can turn raw Suricata EVE JSON events into structured, searchable security intelligence.

 

What is Suricata?

Suricata is a free and open-source network threat detection engine capable of real-time intrusion detection (IDS), intrusion prevention (IPS), network security monitoring (NSM), and offline pcap processing. It inspects traffic across dozens of protocols and writes its findings out as EVE JSON, a single structured log format that covers everything from alerts and anomalies to protocol-level metadata for DNS, HTTP, TLS, SSH, SMB, and more.

Because Suricata sits directly in the traffic path, its logs are one of the richest sources of network visibility available to a security team. Getting that data into Graylog in a normalized, correlated form is what turns a stream of raw EVE JSON into usable detection and investigation data.

 

What This Pack Does

The Suricata IDS/IPS Content Pack is purpose-built for Suricata 6.x, 7.x, and 8.x environments producing EVE JSON output, and also supports the legacy plain-text http.log and tls.log formats used in Suricata 7 and earlier. Once installed, it automatically parses EVE JSON events into Graylog schema-compatible fields, enriches them, and maps them to the Graylog Information Model (GIM).

 

Included in the pack:

Stream-Illuminate Suricata Messages: created automatically if it doesn’t exist, with routing preconfigured and no stream rules required.

Index Set-Suricata IDS/IPS Logs: pre-defined with a daily rotation and 90-day retention, adjustable after installation.

Parsing Rules: Extracts structured fields from Suricata EVE JSON across alert, anomaly, ARP, BitTorrent DHT, DCERPC, DHCP, DNS, FTP, HTTP, Modbus, MQTT, NetFlow, network flow, NFS, PgSQL, POP3, QUIC, RDP, RFB/VNC, SMB, SMTP, SNMP, SSH, TFTP, TLS, and file info events.

GIM Categorization: Event type and severity normalization, including alert severity and log severity.

Input Support: Filebeat/GELF, syslog TCP/UDP, and raw TCP/UDP, plus legacy Suricata http.log and tls.log plain-text formats.

 

Requirements

• Graylog 7.1.0+ with a valid Enterprise or Security license and Illuminate installed
• Suricata configured with EVE JSON output enabled
• Suricata 6.x or later (8.x tested); legacy plain-text http.log/tls.log support for Suricata ≤ 7

 

Getting Logs into Graylog

Step 1 — Configure a Graylog Input

Create a Beats input (for Filebeat), or a Syslog TCP/UDP input if you plan to forward EVE JSON via syslog. Note the port for use in your agent configuration.

Step 2 — Configure Filebeat via Sidecar (Recommended)

Use the Filebeat agent with the ndjson input type via a Graylog Sidecar:

  1. Refer to the official documentation to set up Graylog Sidecar for Filebeat.
  2. Create a matching Beats input in Graylog.
  3. Ensure the option Do not add Beats type as prefix is disabled.
  4. Add the following snippet to your Filebeat configuration:
- type: filestream
  id: suricata-eve-filestream
  enabled: true
  paths:
    - /var/log/suricata/eve.json
  parsers:
    - ndjson:
        target: ""
        add_error_key: true
        expand_keys: false
  fields_under_root: true
  fields:
    filebeat_event_source_product: suricata

This snippet is only the section that adds Suricata EVE JSON ingestion to an existing Filebeat configuration. Adjust the path if your installation differs from the default. Nested JSON fields are delivered using dot notation (for example, alert.severity, dns.rrname).

Step 3 — Configure Syslog (Option B)

Suricata can also be configured to send EVE JSON via syslog to a Graylog Syslog TCP or UDP input. Set application_name to suricata. The EVE JSON payload is embedded in the syslog message field and parsed by the pack’s syslog processing rule.

Step 4 — Install and Activate the Content Pack

In Graylog, navigate to Enterprise → Illuminate, locate the Suricata IDS/IPS Processing Pack and Spotlight, and activate it. The stream and index set are created automatically. No additional rules are needed.

 

Suricata Log Message Processing

Suricata EVE JSON events are identified by the event_type field, and several event types receive additional refinement before GIM categorization:

  • DNS events: distinguished between queries (dns.type = "query") and answers (dns.type = "answer"), with RFC 2136 DDNS UPDATE messages (dns.opcode = 5) assigned their own GIM code.
  • Flow events: closed flows (flow.state = "closed") receive a distinct GIM code from established flows.
  • DHCP events: vendor_dhcp_type refines the GIM code (discover, request, offer, ack), with unrecognized types defaulting to a generic code.

 

Events Processed by This Pack

The content pack processes the full range of Suricata EVE JSON event types, including:

  • Alert and anomaly events: including IPS drop actions
  • Network protocol: events: ARP, DCERPC, DHCP, DNS, FTP, HTTP, HTTP/2, IKE, Kerberos (KRB5), Modbus, MQTT, NFS, PgSQL, POP3, QUIC, RDP, RFB/VNC, SMB, SMTP, SNMP, SSH, TFTP, and TLS
  • Flow and NetFlow: events, including session state and byte/packet counters
  • BitTorrent DHT: events
  • File info: events, including filename, magic type, hash, and size metadata info

 

GIM Categorization

Suricata events are mapped to the Graylog Information Model, enabling consistent correlation with other data sources across your environment:

Event Type Description GIM Category GIM Event Type
alert Signature match against network traffic, with configured action detect/response alert
anomaly Protocol or stream-level anomaly detected during inspection network anomaly
dns (query) DNS query observed on the wire network DNS query
dns (answer) DNS answer observed on the wire network DNS answer
dns (DDNS update) RFC 2136 dynamic DNS update request network DDNS update
flow (closed) Network flow that has completed and closed network network flow closed
flow (active) Established, ongoing network flow network network flow
http / http2 Application-layer HTTP request/response metadata network web traffic
tls TLS handshake and certificate metadata network encrypted traffic
ssh SSH client/server version exchange network remote access
krb5 Kerberos ticket request and encryption metadata authentication credential validation
smb SMB session and file share activity network file share access
fileinfo File observed in transit, with hash and magic type network file transfer
dhcp DHCP discover, request, offer, or ack network DHCP lease event
rfb VNC/RFB remote framebuffer session metadata network remote access
bittorrent_dht BitTorrent DHT protocol activity network peer-to-peer traffic

 

Why Log Suricata Events?

Collecting Suricata EVE JSON logs gives you more than a record of network traffic — it directly supports security detection, incident response, and compliance audit use cases.

 

Security Monitoring

  • Detect signature-based alerts across the full breadth of protocols Suricata inspects
  • Identify anomalous stream and protocol behavior before it escalates
  • Spot IPS drop actions taken against malicious traffic in real time
  • Correlate alert severity with asset criticality to prioritize response

 

Threat Hunting

  • Pivot from a fileinfo hash to related flow and alert events for the same host
  • Search TLS SNI and certificate metadata for indicators tied to known infrastructure
  • Trace DNS query and answer pairs to uncover DGA or tunneling activity
  • Review Kerberos ticket encryption strength to flag weak or downgraded authentication

 

Incident Response

  • Reconstruct a full session timeline using flow start/end and byte/packet counters
  • Identify every protocol touched by a host during a suspected compromise
  • Extract file hashes and metadata captured in transit for malware analysis
  • Correlate alerts across multiple sensors to scope the extent of an incident

 

Compliance & Audit

  • Maintain a durable, searchable record of network intrusion detection activity
  • Demonstrate network monitoring controls required by frameworks such as PCI DSS, HIPAA, or SOC 2
  • Retain protocol-level metadata to support audit and forensic review requirements

 

Suricata Overview Dashboard

Graylog Enterprise and Security

With Graylog Enterprise and Security, your team gains structured visibility into one of the richest network telemetry sources available with your IDS/IPS. The Suricata IDS/IPS Content Pack turns raw EVE JSON events into searchable, correlated, GIM-tagged data that flows directly into your threat detection, alerting, and investigation workflows. For more on this integration, please follow the documentation.

 

Categories

Get the Monthly Tech Blog Roundup

Subscribe to the latest in log management, security, and all things Graylog blog delivered to your inbox once a month.