Hello all,
I started to use Suricata with Security Onion. Maybe it is a stupid question but I’ve been asked and I need to be sure. What does Suricata log? Only irregularities or all traffic?
Thank you.
Isac
Hello Isac!
Welcome to our forum! No worries, there are no stupid questions 
Suricata is powerful in terms of the outputs it can generate (that’s one of the reasons you find tools that integrate it to help users interpret said output 
). It can log alerts (based on the rules that are loaded); anomalous traffic; a variety of events, regardless of alerts, for the supported protocols.
The amount of generated output, as well as its type and granularity, is a matter of configuration. I think these two documents might help you get a better grasp of Suri’s logging abilities:
[10.1. Suricata.yaml — Suricata 7.0.0-dev documentation]
[15.1.1. Eve JSON Output — Suricata 7.0.0-dev documentation]
If this doesn’t answer your question, please help us further understand what clarifications do you need!