Support

Support for business applications

Kaspersky XDR Expert

Managing Kaspersky Unified Monitoring and Analysis Platform

Administrator's guide

Configuring event sources

Configuring receipt of Suricata events

Configuring logging of Suricata events.

Kaspersky Next XDR Expert
Online Help
FAQ Forum Contact support Recovery tools

Configuring logging of Suricata events.

May 15, 2024

ID 265590

Get as PDF

To configure Suricata event logging:

  1. Connect via SSH to the server that has administrative user accounts.
  2. Create a backup copy of the /etc/suricata/suricata.yaml file.
  3. Set the following values in the eve-log section of the /etc/suricata/suricata.yaml configuration file:

    - eve-log:

    enabled: yes

    filetype: regular #regular|syslog|unix_dgram|unix_stream|redis

    filename: eve.json

  4. Save your changes to the /etc/suricata/suricata.yaml configuration file.

As a result, Suricata events are logged to the /usr/local/var/log/suricata/eve.json file.

Suricata does not support limiting the size of the eve.json event file. If necessary, you can manage the log size by using rotation. For example, to configure hourly log rotation, add the following lines to the configuration file:

outputs:

- eve-log:

filename: eve-%Y-%m-%d-%H:%M.json

rotate-interval: hour

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.