Suricata 5.0.3 IPS mode


how to detect log (fast.log) on suricata if i attack a server?
if i attack server, log on fast.log not detected and
if i attack suricata, log on fast.log detected

You should use a mirror port / tap interface.
That would send all traffic going through your router or switch to the suricata box.

Another option is to change your topology and put suricata inline between your router and the internet or your router and the server.