How to Make multiple Instances of suricata in a single machiine

Hi everyone ,
I want to make multiple instances of suricata for multiple interfaces , but I don’t know how to do it.
Currently I have a single instance which have its own configuration file and logs folder .
I want to know how to make more instances so that each instance have its own configuration and logs folder.

Also want to know that suricata read the docs 10.4 is related to this or not as commands not work .


You can run multiple instances of Suricata on a single machine if you’d like.

Both the configuration file and the logging directory can be set on the command line:
suricata -c /path/to/configuration-file -l /path/to/logging-directory

You can also specify the NIC interface:
suricata -c /path/to/configuration-file -l /path/to/logging-directory --af-packet=enp3s0

Section 10.4 is for Suricata’s multi-tenancy support. What commands aren’t working as expected?

Hi Jeff , thanks for helping .

Also about 10.4 , register tenant command is not working for me is there any library that I need to install before that.

Is multi-detect-enabled = yes set in your configuration file?

  enabled: yes

If so, please post or PM your suricata.yaml file – but please make sure there is no private information in it.

Multi - detect is enabled , I guess its not because of suricata.yaml .
It always show register tenant : command not found .
I can share yaml if needed .


Can you share the log (or console messages) showing the error message?