Forwarding suricata alert logs to the console output

Please include the following information with your help request:

  • Suricata version: 7.0.2 RELEASE
  • Operating system and/or Linux distribution : Ubuntu 22.04.3 LTS
  • How you installed Suricata (from source, packages, something else) : apt package.

Hi, I have configured Suricata on an Ubuntu docker container. Now I need to print suricata alert logs in the docker container logs in JSON format. Could you please let me know whether there is a possible way to do that


Suricata doesn’t output eve.json/alerts directly to the console.
But that can be easily done by either:

  • direct Suricata output to UNIX socket and read from that
  • set Suricata output to eve.json (is enabled by default) and read from the file with tail -f

I would prefer the second option as with that option you’ll also have a file (eve.json) to fall back to.

Here is quick example of what I meant:
One terminal:

echo '{ "first_name": "John", "last_name": "Smith" }' >> /tmp/a

Second terminal

tail -f /tmp/a | jq .

Hi Lukas,

Thank you very much for your reply!

Ultimately I need to route those suricata container’s alert logs to GCP stackdriver.

Thus my aim is to print those logs in the standard output of the suricata docker container first.

Thought Suricata has some kind of a special attribute that I can use for my requirement.

I will try to make use of your suggestions.