Can Suricata read traffic from a log server & perform analysis without an network interface to monitor

  • Suricata version - 7.0
  • Operating system and/or Linux distribution - ubuntu server
  • How you installed Suricata - source


I have installed suricata on the ubuntu server & it is up and running fine.
I wanted to know without the second network interface(monitor) can suricata read logs from an log server and trigger alerts using the pre-defined ruleset.
If yes, will it affect real time monitoring.

The basic idea is to see if suricata can work without any monitoring interface by feeding it data/log from other sources.

The only way to feed in data is to use the pcap read mode, so you can run pcaps towards Suricata, see 7. Command Line Options — Suricata 8.0.0-dev documentation with the -r option. Another alternative could be a dummy interface that Suricata could attach to and forward the traffic there.

But reading log files is not supported. What format do you expect from the log server?

The reason I wanted to use a log server without the interface is in a day we get close to 70 tb traffic data.
A physical server was present earlier with a different IDS solution, so I wanted to check if an alternative solution is present where we can collect all the logs & detect using it.

What type of logs are you talking about? Are those network logs?

With 70TB of traffic you’re talking about a 10Gbit/s or higher link?

Suricata is inspecting network traffic and produces its own logs.