network security monitoring

Suricata is an open source threat detection system. Initially released by the Open Information Security Foundation (OISF) in 2010, Suricata can act both as an intrusion detection system (IDS), and intrusion prevention system (IPS), or be used for network security monitoring. 

Suricata can be set up as a host-based IDS to monitor the traffic of a single machine, a passive IDS to monitor all the traffic passing through the network and to notify the analyst when malicious activity is detected, or as an active, inline IDS and IPS to monitor inbound and outbound traffic.

Suricata comes with built-in security rules but can also be complemented with external rule sets. These rules generate log data, or security events, and to be able to effectively ingest, store and analyze this data requires a security analytics platform that can act as a centralized logging system for Suricata data and all the other types of data flowing in from other security layers.

In this article, we will explore the steps for installing and integrating Suricata with and the ELK Stack. You’ll need either a account or your own ELK deployment to follow the procedures described here.

Installing Suricata

Our first step, is to set up Suricata.

Suricata can be installed on a variety of distributions using binary packages or compiled from source files. We’ll be installing Suricata on Ubuntu 16.04, and full installation instructions are available here.

Start with installing recommended dependencies:

Next, define the PPA for installing latest stable release:

Update your system and install Suricata with:

Next, we’re going to install Suricata-Update — a tool for updating and managing Suricata rules. Suricate-Update is packaged with  Suricata, so to use it simply use:

The Emerging Threats Open ruleset is downloaded to /var/lib/suricata/rules/, and this is the command to use to update your rules.

Last but not least, start Suricata:

Shipping Suricata data to the ELK Stack

After a minute or two, Suricata will begin to generate events in a file called ‘eve.json’ located at /var/log/suricata/eve.json.

All the data generated by Suricata, whether rule-based alerts, DNS or HTTP logs, will be sent into this file. You can configure what data is shipped into this file, define different log outpouts per data type, and more, in the Suricata configuration file (/etc/suricata/suricata.yaml).

All the log types in the ‘eve.json’ file share a common structure:

Our next step is to ship this data into the ELK Stack for analysis. We will outline two methods — using Filebeat to ship to and using a combination of Filebeat and Logstash for vanila ELK deployments.


If you’re a user, all you have to do is install Filebeat and configure it to forward the suricata_ews.log file to Processing and parsing will be applied automatically.

To install Filebeat, use:

Before configuring Filebeat, download an SSL certificate for encryption:

Next, open up the Filebeat configuration file at /etc/filebeat/filebeat.yml, and enter the following configuration:

Be sure to enter your account token in the relevant field. You can find your token in the UI, on the General page of your settings.

Save the configuration file and start Filebeat:

Wait a minute or two, you will begin to see the Suricata data in

Suricata data

Using Logstash

If you’re using your own ELK deployment you will want to add Logstash into the pipeline for processing the data.

First though, our Filebeat configuration file will look as follows:

Next up, Logstash. This is a critical step in the process as we need to ensure the Suricata logs are broken up properly for easier analysis.

Since we will be using the geoip filter plugin, we need to first install it:

Create a configuration file:

The configuration defines beats as the input, Elasticsearch as the output and uses a variety of filter plugins to process the logs:

Start Logstash and Filebeat with:

Within a minute or two, you should see a new Logstash index created in Elasticsearch:

In Kibana, you can then define the new index pattern to start your analysis:

define index pattern

Analyzing the data

So – what are we looking for? What can be done with Suricata logs?

The parsing applied to the logs parses out some important fields which we can use for monitoring our network for suspicious behavior.  Below are a few examples of visualizations that can be built in Kibana for detecting malicious activity.

Suricata Alerts

Suricata rules (/etc/suricata/rules) will trigger alerts and send logs to should the conditions defined in those rules be met. To understand what the actual rules mean, I would recommend you refer to Suricata docs.  

In the bar chart below, we are monitoring the different alert categories Suricata is logging over time:


To monitor alert signatures, we could build a Data Table visualization:

alert signature

Traffic Geographic Distribution

We can monitor the geographical distribution of traffic coming into our system using Kibana’s Coordinate Map visualization. To do this we will make use of the geo enhancement applied to the src_ip field in Suricata logs.


Suricata Event Types

The event_type field indicates the Suricata log type. With the help of a pie chart visualization, we can see a breakdown of the top log types recorded in the system:


Line chart visualizations are great to monitor trends over time. In the visualization below, we’re looking at the top Suricata log types over time:


Once you’ve got all your visualizations lined up, you can add them into one comprehensive dashboard:


This dashboard is available in ELK Apps —’s library of Kibana searches, alerts, visualizations and dashboards, together with other Suricata dashboards. Simply search for “Suricata” and install any of the listed dashboards in one click.


Suricata is a great open source option for monitoring your network for malicious activity. Still, it is just one layer in what must be a more comprehensive system deployed, rather than a complete solution for security issues.

Firewalls, endpoint monitoring, access monitoring, and more — these are additional layers that need to be put in place and integrated into your security architecture. Of course, a multi-layered system generate a huge volume of data which requires a security analytics platform that can ingest all the data, process it and give you the tools to effectively analyze it.

The integration with provides you with aggregation and analytics capabilities necessary to make the most out of the logs and events that Suricata generates. We will be enhancing our Suricata integration with additional rules and dashboards in our Security Analytics platform so stay tuned!

Identify and remediate threats faster with one unified platform for operations and security.