Suricata 8.0.0-dev missing Prometheus output module despite --enable-prometheus at build time

Developers
1

Hi everyone,

I’m reaching out because I’m trying to integrate Suricata with Prometheus in order to build a modern NOC. Over the past days, we have compiled Suricata 8.0.0-dev from source on Arch Linux, using --enable-prometheus during ./configure. The compilation completed successfully, and Suricata runs properly in IDS mode on my interface.

However, when starting Suricata with Prometheus configuration enabled in suricata.yaml, I always see:

lua

CopiarEditar

Warning: runmodes: No output module named prometheus [RunModeInitializeOutputs:runmodes.c:868]

I’ve checked the Suricata logs and confirmed that other outputs like eve.json and stats.log work fine, but there is absolutely no evidence of a Prometheus module being recognized.

Here is the relevant snippet from my /etc/suricata/suricata.yaml:

yaml

CopiarEditar

- prometheus:
    enabled: yes
    filename: /var/run/suricata.prometheus
    append: no
    types:
      - flow
      - detect
    sensor-name: suricata
    stats:
      enabled: yes
      interval: 8
    bind: 127.0.0.1:9630

Despite having this configuration, Suricata always complains about missing the Prometheus output module.

To double-check, we also compiled and ran suricata_exporter (tried both v1k0d3n/suricata-prometheus-exporter and corelight/suricata_exporter). While suricata_exporter starts and tries to read from the Suricata command socket, it produces repeating errors like:

css

CopiarEditar

ERROR: Field max_frag_hits missing for Desc{fqName: "suricata_defrag_max_frag_hits", ...}

and never successfully exports usable metrics.

Here’s what we’ve tried:
:white_check_mark: Verified the config enables Prometheus and that the bind port is free.
:white_check_mark: Compiled with --enable-prometheus after installing all recommended dependencies (jansson, libpcap, luajit, libmaxminddb, etc.).
:white_check_mark: Double-checked that /var/run/suricata/suricata-command.socket is created and readable by suricata_exporter.
:white_check_mark: Tail logs confirm stats are written in /var/log/suricata/stats.log, but no Prometheus output or endpoint is created.
:white_check_mark: Repeatedly see the warning “No output module named prometheus.”

My questions:
:one: Has Prometheus support been deprecated or removed in recent Suricata versions (e.g., 8.x-dev)?
:two: Is there a recommended way to export metrics to Prometheus now?
:three: Or should we stick with reading stats.log via Telegraf/Filebeat, or move to ELK/Wazuh as an alternative?

Any insight or official statement on the current state of Prometheus support in Suricata would be greatly appreciated, since it’s not clear from the current documentation.

Thanks in advance!

2

Suricata does not have a Prometheus output, nor does it have a --enable-prometheus configure option, and it hasn’t supported it in the past. You’ll have to explore other options.

I do see GitHub - corelight/suricata_exporter: A Prometheus Exporter for Suricata as a possible option, but I suggest creating an issue in that repo if you run into issues with it.

1 Like
3

Update: Suricata Build Issue Resolved

Hi team,

I wanted to provide an update regarding the issue I posted earlier about building Suricata with Prometheus support. After a thorough review of the Suricata documentation and the Suricata.yaml configuration, I realized that there is no native “prometheus” output module in Suricata itself. Instead, metrics should be exported via stats.log or eve.json, and a separate Prometheus exporter should be used to scrape these metrics.

I corrected my Suricata.yaml by removing the unsupported prometheus output section, enabled the stats module properly, and confirmed that the configuration loads successfully.

Thank you for your patience. I hope this clarification helps anyone who might run into similar confusion.

Best regards,
Dani

4

Thank you so much. I finally found the solution after days of persisting in my error. I don’t want to point the finger at anyone, and I don’t want to get angry at my colleague who kept insisting I compile it in different ways. :joy: He was pretty annoyed after days of attempts, which naturally failed. :joy::joy::joy:;
Thank you so much again. I’ve barely started using the software, but it looks great.