Suricata

The Suricata Matano managed log source lets you ingest your Suricata IDS/IPS/NSM logs. It parses logs that are in the Suricata Eve JSON format.

Usage

Use the managed log source by specifying the managed.type property in your log_source as SURICATA.

name: "suricata"

managed:
  type: "SURICATA"

Then create tables for each of the Suricata logs you want to ingest. For example, if you want to ingest Suricata Eve logs, create table files like so:

my-matano-dir/
└── log_sources/
    └── suricata/
        └── log_source.yml
        └── tables/
            └── eve.yml
            └── ...

# log_sources/suricata/tables/eve.yml
name: "eve"

For a complete reference on configuring log sources, including extending the table schema, see Log source configuration.

Tables

The Suricata managed log source supports the following tables:

Ingest

S3 (default)

For a log source named suricata, a file under the path suricata/afe3c55a-8b05-4ac7-be76-b6fda08af95d/alerts.log will be routed to the eve table.

S3 Path scheme to table:

* (all) -> eve

Schema

Suricata data is normalized to ECS fields. You can view the complete mappings to see the full schemas.

Usage​

Tables​

Ingest​

S3 (default)​

S3 Path scheme to table:​

Schema​