Suricata eve.JSON in Security Onion

garrygosafe · May 13, 2021, 8:41am

Hello,

I have setup Suricata with Security Onion and I have enabled the eve.JSON ouput in the .yaml file. However, I cannot find the file on the system.

Is there something else I need to do or would it be stored in a different directory to /var/log/nsm?

Many Thanks

arcot · May 14, 2021, 12:02pm

Hi,
I believe it should be stored under default-log-dir (specified in suricata.yaml). Otherwise you can specified logs location with -l if running suricata via command.

https://suricata.readthedocs.io/en/suricata-6.0.2/command-line-options.html

garrygosafe · May 14, 2021, 12:15pm

Hello,

It is states as /var/log/suricata but this directory doesn’t seem to exist. Should I specify a different directory?

Also do I need the fast.log enabled for this to generate the eve.JSON?

Many Thanks!

Andrew

Jeff_Lucovsky · May 14, 2021, 1:21pm

You do not need to have fast.log enabled for eve.json content.

garrygosafe · May 14, 2021, 4:37pm

Hello,

Really appreciate the response, I will get looking in the yaml file. I setup Suricata on Ubuntu and the eve.JSON was created but with Security Onion it didn’t seem to be.

Thanks again!

Topic		Replies	Views
Rules and log files	1	983	November 28, 2023
Suricata does not generate the fast.log file Help	5	2983	October 7, 2020
Create customize suricata using bash script Help	4	622	September 30, 2021
Eve.json with 'weird' output and no ALERTS Help	1	482	December 8, 2021
Fast.log not being written to Help suricata	13	86	September 9, 2024

Suricata eve.JSON in Security Onion

Related Topics