What suricata logs?

Hello all,

I started to use Suricata with Security Onion. Maybe it is a stupid question but I’ve been asked and I need to be sure. What does Suricata log? Only irregularities or all traffic?

Thank you.

Hello Isac!

Welcome to our forum! No worries, there are no stupid questions :slight_smile:

Suricata is powerful in terms of the outputs it can generate (that’s one of the reasons you find tools that integrate it to help users interpret said output :wink: ). It can log alerts (based on the rules that are loaded); anomalous traffic; a variety of events, regardless of alerts, for the supported protocols.

The amount of generated output, as well as its type and granularity, is a matter of configuration. I think these two documents might help you get a better grasp of Suri’s logging abilities:
[10.1. Suricata.yaml — Suricata 7.0.0-dev documentation]
[15.1.1. Eve JSON Output — Suricata 7.0.0-dev documentation]

If this doesn’t answer your question, please help us further understand what clarifications do you need! :slight_smile: