Hi Team,
I am facing an issue while attempting to stream logs directly from Suricata to Kafka. I am currently using Suricata version 7.0.6, and I have configured Kafka output in the suricata.yaml file as follows:
outputs:
Line-based alerts log similar to Snort’s fast.log
- fast:
enabled: yes
filename: fast.log
append: yes
Extensible Event Format (EVE) event log in JSON format
- eve-log:
enabled: yes
filetype: kafka #regular|syslog|unix_dgram|unix_stream|redis
filename: eve.json
kafka:
brokers: [“17.X.X.X:9092”]
topic: “suricatacdlogs”
types:
- alert:
payload: yes
packet: yes
metadata: yes
tagged-packets: yes
pcap-file: yes
pcap-file-path: full
However, when I run the test command: suricata -T -c /etc/suricata/suricata.yaml -v
I receive the following error:
Info: conf-yaml-loader: Configuration node ‘types’ redefined.
Notice: suricata: This is Suricata version 7.0.6 RELEASE running in SYSTEM mode
Info: cpu: CPUs/cores online: 8
Info: suricata: Running suricata under test mode
Info: suricata: Setting engine mode to IDS mode by default
Info: exception-policy: master exception-policy set to: auto
Info: logopenfile: fast output device (regular) initialized: fast.log
Error: output-json: Invalid JSON output option: kafka
I also tested this configuration on Suricata version 6.0.16 but encountered the same issue.
Could you please clarify whether direct Kafka output is still supported in Suricata 7.x, or if there is a recommended alternative for streaming logs directly to Kafka without using third-party tools like Filebeat or Fluentd?
Looking forward to your guidance.