Suricata eve.JSON in Security Onion


I have setup Suricata with Security Onion and I have enabled the eve.JSON ouput in the .yaml file. However, I cannot find the file on the system.

Is there something else I need to do or would it be stored in a different directory to /var/log/nsm?

Many Thanks

I believe it should be stored under default-log-dir (specified in suricata.yaml). Otherwise you can specified logs location with -l if running suricata via command.


It is states as /var/log/suricata but this directory doesn’t seem to exist. Should I specify a different directory?

Also do I need the fast.log enabled for this to generate the eve.JSON?

Many Thanks!


You do not need to have fast.log enabled for eve.json content.


Really appreciate the response, I will get looking in the yaml file. I setup Suricata on Ubuntu and the eve.JSON was created but with Security Onion it didn’t seem to be.

Thanks again!