Suricata 7 to 8 10 times less data, mapping issue?

atbohmer · March 24, 2026, 1:49pm

Hello,

Suricata 7.0.15 is writing its output to json files (± 100 files). Logstash and now Vector parses this data to a Vector pod in Kubernetes which maps the data into Opensearch. All is working well, but when installing suricata v8 (01 or 04, no difference) the opensearch input drops by a factor 10. I’m not able yet to pinpoint the problem, but I guess it is a json to opensearch index field mapping issue.

Any ideas on that regarding what did possibly change in 8?

Thanks in advance,

Andre

ish · March 24, 2026, 2:03pm

Using the same config file? Or a fresh install with a fresh config file? If the latter, maybe you had payload logging enabled in 7 and its not in 8? (See suricata/suricata.yaml.in at main · OISF/suricata · GitHub ).

Still shouldn’t be responsible for that much drop, as most events are non-alert type.

Any warnings on startup?