Eve-log with unix_stream mode

I’m using Suricata to output logs with the following configuration:
filetype: unix_stream,
filename: /var/lib/suricata/unix_alert.socket

When Suricata is running in multithreaded mode, the data received from /var/lib/suricata/unix_alert.socket is sometimes incomplete JSON.
I’m looking for a solution to this issue.
My suricata version: 8.0.0-beta1 RELEASE

Can you post the eve-log section from suricata.yaml?

sure, here is my config

  - eve-log:
      enabled: yes
      #filetype: regular
      filetype: unix_stream
      #filename: flow.json
      filename: /var/lib/suricata/unix_flow.socket
      types:
        - flow

Can you show a few examples of what the truncated items look like?

What process is receiving the alerts and persisting them?

I use go function to listen /var/lib/suricata/unix_flow.socket
the error message is :

{"data":"OjQwMTY0LCJ0b2Ffc3JjX2lwIjoiMC4wLjAuMCIsInRvYV9zcmNfcG9ydCI6MCwiZGVzdF9pcCI6IjEuMTgwLjIxMy4xMDkiLCJkZXN0X3BvcnQiOjQ0MywiZGlyX2NoZWNrIjoyLCJwcm90byI6IlRDUCIsImZsb3ciOnsicGt0c190b3NlcnZlciI6MzIsInBrdHNfdG9jbGllbnQiOjI2LCJieXRlc190b3NlcnZlciI6MjE5MDIsImJ5dGVzX3RvY2xpZW50Ijo5MTExLCJmbG93X3N0YXJ0IjoiMjAyNS0wNS0yMlQyMTowMzoxNi4yMjkxMTUrMDgwMCIsImZsb3dfZW5kIjoiMjAyNS0wNS0yMlQyMTowMzoxOS4xMzk4NzUrMDgwMCIsImFnZSI6Mywic3RhdGUiOiJuZXciLCJyZWFzb24iOiJ0aW1lb3V0IiwiYWxlcnRlZCI6ZmFsc2UsImV4Y2VwdGlvbl9wb2xpY3kiOlt7InRhcmdldCI6InN0cmVhbV9taWRzdHJlYW0iLCJwb2xpY3kiOiJpZ25vcmUifSx7InRhcmdldCI6ImFwcF9sYXllcl9lcnJvciIsInBvbGljeSI6Imlnbm9yZSJ9XX0sInRjcCI6eyJ0Y3BfZmxhZ3MiOiIwMCIsInRjcF9mbGFnc190cyI6IjAwIiwidGNwX2ZsYWdzX3RjIjoiMDAifSwiaG9zdCI6ImMzLXNlYy1udGEwMi5iaiJ9CnsidGltZXN0YW1wIjoiMjAyNS0wNS0yMlQyMTowNDoxOS44MTgwMjIrMDgwMCIsImZsb3dfaWQiOjExMDgxNzc5Mjc1NTA4ODMsImluX2lmYWNlIjoiMDAwMDo1ZTowMC4wIiwiZXZlbnRfdHlwZSI6ImZsb3ciLCJ2bGFuIjpbMzE2XSwic3JjX2lwIjoiMTAuMTU4LjI0My4zNCIsInNyY19wb3J0Ijo1MTIxMiwidG9hX3NyY19pcCI6IjAuMC4wLjAiLCJ0b2Ffc3JjX3BvcnQiOjAsImRlc3RfaXAiOiIxMjMuMTgzLjIzMi45IiwiZGVzdF9wb3J0Ijo0NDMsImRpcl9jaGVjayI6MiwicHJvdG8iOiJUQ1AiLCJhcHBfcHJvdG8iOiJmYWlsZWQiLCJhcHBfcHJvdG9fdA==","error":"invalid character ':' looking for beginning of value","level":"error","msg":"handle message unmarshal flow Log failed","time":"2025-05-22T21:04:19+08:00"}

Note that the endpoint receiving the data is responsible for handling the stream. The data in the b64-encoded blob has items from a Suricata alert and also items that are from a different source.

This data is a flow log, because print(byte) in Go language is encoded in base64 by default.

Suricata flow logs (event type flow) do not have fields prefixed with toa. Is the go-recipient of the Suricata flow record rewriting field names (or adding them)?

Yes, we customlized some code to parse ToA address field into flow log because some traffic forward by lvs

I’d like to see the original Suricata items that are showing the issue. Is that possible?