Hi,
I believe it should be stored under default-log-dir (specified in suricata.yaml). Otherwise you can specified logs location with -l if running suricata via command.
Really appreciate the response, I will get looking in the yaml file. I setup Suricata on Ubuntu and the eve.JSON was created but with Security Onion it didn’t seem to be.