Suricata eve.JSON in Security Onion

Hello,

I have setup Suricata with Security Onion and I have enabled the eve.JSON ouput in the .yaml file. However, I cannot find the file on the system.

Is there something else I need to do or would it be stored in a different directory to /var/log/nsm?

Many Thanks

Hi,
I believe it should be stored under default-log-dir (specified in suricata.yaml). Otherwise you can specified logs location with -l if running suricata via command.

https://suricata.readthedocs.io/en/suricata-6.0.2/command-line-options.html

Hello,

It is states as /var/log/suricata but this directory doesn’t seem to exist. Should I specify a different directory?

Also do I need the fast.log enabled for this to generate the eve.JSON?

Many Thanks!

Andrew

You do not need to have fast.log enabled for eve.json content.

Hello,

Really appreciate the response, I will get looking in the yaml file. I setup Suricata on Ubuntu and the eve.JSON was created but with Security Onion it didn’t seem to be.

Thanks again!