Hello Suricata Community,
I am currently using Suricata to monitor traffic from a 10GB TAP. I tested it with the default rules, and within just 30 minutes, the eve.json file grew to 5GB, generating 3 million hits in Wazuh. This caused a significant delay in the Wazuh dashboard, making it difficult to detect current alerts in real time.
What tweaks can I apply to optimize performance? Also, are there specific rules that I should disable to filter out less important alerts?
Please post your suricata.yaml so we can give you some hints what you can adjust from the log perspective.
Also what ruleset you use exactly.
It’s not very uncommon to have big log files, so most folks take care of that in post processing.
Hello,
I didn’t make many changes in the suricata.yaml file. I only specified the AFPacket interface, HOME_NET, and enabled the community ID.
As for the rules, I just used the default ones and didn’t change anything. That’s why I’m asking if I should remove some rules or specify only a group of important ones recommended by your team.
What default set are you talking about? The ones we ship with /rules or the ETOpen ruleset?
What rules trigger mostly that annoy you?