If you’re running Suricata to watch your network, you already know how much signal lives in its logs. Graylog provides a purpose-built way to make that signal immediately actionable. The Suricata IDS/IPS Content Pack, available with an Illuminate license and Graylog Enterprise or Graylog Security, delivers ready-to-use parsing rules, streams, GIM categorization, and a dashboard so you can turn raw Suricata EVE JSON events into structured, searchable security intelligence.
What is Suricata?
Suricata is a free and open-source network threat detection engine capable of real-time intrusion detection (IDS), intrusion prevention (IPS), network security monitoring (NSM), and offline pcap processing. It inspects traffic across dozens of protocols and writes its findings out as EVE JSON, a single structured log format that covers everything from alerts and anomalies to protocol-level metadata for DNS, HTTP, TLS, SSH, SMB, and more.
Because Suricata sits directly in the traffic path, its logs are one of the richest sources of network visibility available to a security team. Getting that data into Graylog in a normalized, correlated form is what turns a stream of raw EVE JSON into usable detection and investigation data.
What This Pack Does
The Suricata IDS/IPS Content Pack is purpose-built for Suricata 6.x, 7.x, and 8.x environments producing EVE JSON output, and also supports the legacy plain-text http.log and tls.log formats used in Suricata 7 and earlier. Once installed, it automatically parses EVE JSON events into Graylog schema-compatible fields, enriches them, and maps them to the Graylog Information Model (GIM).
Included in the pack:• Stream-Illuminate Suricata Messages: created automatically if it doesn’t exist, with routing preconfigured and no stream rules required. • Index Set-Suricata IDS/IPS Logs: pre-defined with a daily rotation and 90-day retention, adjustable after installation. • Parsing Rules: Extracts structured fields from Suricata EVE JSON across alert, anomaly, ARP, BitTorrent DHT, DCERPC, DHCP, DNS, FTP, HTTP, Modbus, MQTT, NetFlow, network flow, NFS, PgSQL, POP3, QUIC, RDP, RFB/VNC, SMB, SMTP, SNMP, SSH, TFTP, TLS, and file info events. • GIM Categorization: Event type and severity normalization, including alert severity and log severity. • Input Support: Filebeat/GELF, syslog TCP/UDP, and raw TCP/UDP, plus legacy Suricata |
|---|
Requirements• Graylog 7.1.0+ with a valid Enterprise or Security license and Illuminate installed |
|---|
Getting Logs into Graylog
Step 1 — Configure a Graylog Input
Create a Beats input (for Filebeat), or a Syslog TCP/UDP input if you plan to forward EVE JSON via syslog. Note the port for use in your agent configuration.
Step 2 — Configure Filebeat via Sidecar (Recommended)
Use the Filebeat agent with the ndjson input type via a Graylog Sidecar:
- Refer to the official documentation to set up Graylog Sidecar for Filebeat.
- Create a matching Beats input in Graylog.
- Ensure the option Do not add Beats type as prefix is disabled.
- Add the following snippet to your Filebeat configuration:
- type: filestream
id: suricata-eve-filestream
enabled: true
paths:
- /var/log/suricata/eve.json
parsers:
- ndjson:
target: ""
add_error_key: true
expand_keys: false
fields_under_root: true
fields:
filebeat_event_source_product: suricata
This snippet is only the section that adds Suricata EVE JSON ingestion to an existing Filebeat configuration. Adjust the path if your installation differs from the default. Nested JSON fields are delivered using dot notation (for example, alert.severity, dns.rrname).
Step 3 — Configure Syslog (Option B)
Suricata can also be configured to send EVE JSON via syslog to a Graylog Syslog TCP or UDP input. Set application_name to suricata. The EVE JSON payload is embedded in the syslog message field and parsed by the pack’s syslog processing rule.
Step 4 — Install and Activate the Content Pack
In Graylog, navigate to Enterprise → Illuminate, locate the Suricata IDS/IPS Processing Pack and Spotlight, and activate it. The stream and index set are created automatically. No additional rules are needed.
Suricata Log Message Processing
Suricata EVE JSON events are identified by the event_type field, and several event types receive additional refinement before GIM categorization:
- DNS events: distinguished between queries (
dns.type = "query") and answers (dns.type = "answer"), with RFC 2136 DDNS UPDATE messages (dns.opcode = 5) assigned their own GIM code. - Flow events: closed flows (
flow.state = "closed") receive a distinct GIM code from established flows. - DHCP events:
vendor_dhcp_typerefines the GIM code (discover, request, offer, ack), with unrecognized types defaulting to a generic code.
Events Processed by This Pack
The content pack processes the full range of Suricata EVE JSON event types, including:
- Alert and anomaly events: including IPS drop actions
- Network protocol: events: ARP, DCERPC, DHCP, DNS, FTP, HTTP, HTTP/2, IKE, Kerberos (KRB5), Modbus, MQTT, NFS, PgSQL, POP3, QUIC, RDP, RFB/VNC, SMB, SMTP, SNMP, SSH, TFTP, and TLS
- Flow and NetFlow: events, including session state and byte/packet counters
- BitTorrent DHT: events
- File info: events, including filename, magic type, hash, and size metadata info
GIM Categorization
Suricata events are mapped to the Graylog Information Model, enabling consistent correlation with other data sources across your environment:
| Event Type | Description | GIM Category | GIM Event Type |
|---|---|---|---|
alert |
Signature match against network traffic, with configured action | detect/response | alert |
anomaly |
Protocol or stream-level anomaly detected during inspection | network | anomaly |
dns (query) |
DNS query observed on the wire | network | DNS query |
dns (answer) |
DNS answer observed on the wire | network | DNS answer |
dns (DDNS update) |
RFC 2136 dynamic DNS update request | network | DDNS update |
flow (closed) |
Network flow that has completed and closed | network | network flow closed |
flow (active) |
Established, ongoing network flow | network | network flow |
http / http2 |
Application-layer HTTP request/response metadata | network | web traffic |
tls |
TLS handshake and certificate metadata | network | encrypted traffic |
ssh |
SSH client/server version exchange | network | remote access |
krb5 |
Kerberos ticket request and encryption metadata | authentication | credential validation |
smb |
SMB session and file share activity | network | file share access |
fileinfo |
File observed in transit, with hash and magic type | network | file transfer |
dhcp |
DHCP discover, request, offer, or ack | network | DHCP lease event |
rfb |
VNC/RFB remote framebuffer session metadata | network | remote access |
bittorrent_dht |
BitTorrent DHT protocol activity | network | peer-to-peer traffic |
Why Log Suricata Events?
Collecting Suricata EVE JSON logs gives you more than a record of network traffic — it directly supports security detection, incident response, and compliance audit use cases.
Security Monitoring
- Detect signature-based alerts across the full breadth of protocols Suricata inspects
- Identify anomalous stream and protocol behavior before it escalates
- Spot IPS drop actions taken against malicious traffic in real time
- Correlate alert severity with asset criticality to prioritize response
Threat Hunting
- Pivot from a
fileinfohash to relatedflowandalertevents for the same host - Search TLS SNI and certificate metadata for indicators tied to known infrastructure
- Trace DNS query and answer pairs to uncover DGA or tunneling activity
- Review Kerberos ticket encryption strength to flag weak or downgraded authentication
Incident Response
- Reconstruct a full session timeline using flow start/end and byte/packet counters
- Identify every protocol touched by a host during a suspected compromise
- Extract file hashes and metadata captured in transit for malware analysis
- Correlate alerts across multiple sensors to scope the extent of an incident
Compliance & Audit
- Maintain a durable, searchable record of network intrusion detection activity
- Demonstrate network monitoring controls required by frameworks such as PCI DSS, HIPAA, or SOC 2
- Retain protocol-level metadata to support audit and forensic review requirements

Graylog Enterprise and Security
With Graylog Enterprise and Security, your team gains structured visibility into one of the richest network telemetry sources available with your IDS/IPS. The Suricata IDS/IPS Content Pack turns raw EVE JSON events into searchable, correlated, GIM-tagged data that flows directly into your threat detection, alerting, and investigation workflows. For more on this integration, please follow the documentation.