How to enable Suricata EVE JSON output

Suricata writes its richest event stream through EVE JSON, the newline-delimited JSON log used for alerts, flow records, protocol metadata, and statistics. Enabling the eve-log output gives local operators and downstream collectors one parseable file instead of spreading useful context across separate text logs.

The packaged configuration normally stores this output under /var/log/suricata/eve.json through the default-log-dir setting and the outputs list in /etc/suricata/suricata.yaml. Many installs already ship with eve-log enabled, but custom baselines, hardened configs, or copied snippets can disable it or remove event types that a collector expects.

Keep the change narrow: enable the file output, test the YAML, restart the running sensor, and parse one EVE event from an isolated run or approved packet capture. The offline verification writes temporary output under /tmp/eve-check so the production eve.json file is not overwritten while the setting is checked.

Related: How to read Suricata eve.json logs

Steps to enable Suricata EVE JSON output:

  1. Back up the active Suricata configuration file. 
    $ sudo cp -a /etc/suricata/suricata.yaml /etc/suricata/suricata.yaml.bak
  2. Open /etc/suricata/suricata.yaml in a text editor. 
    $ sudoedit /etc/suricata/suricata.yaml
  3. Set the eve-log output to a regular file named eve.json. 
    outputs:
  - eve-log:
      enabled: yes
      filetype: regular
      filename: eve.json
      types:
        - alert:
            tagged-packets: yes
        - http:
            extended: yes
        - dns:
            requests: yes
            responses: yes
        - tls:
            extended: yes
        - stats:
            totals: yes
            threads: no
            deltas: no
        - flow

    Keep any additional event types already required by your sensor or collector. This focused block writes alerts, selected protocol metadata, statistics, and flow records to the same EVE file.

  4. Test the Suricata configuration before applying the change. 
    $ sudo suricata -T -c /etc/suricata/suricata.yaml
i: suricata: This is Suricata version 8.0.3 RELEASE running in SYSTEM mode
i: suricata: Configuration provided was successfully loaded. Exiting.

    Related: How to test Suricata configuration

  5. Restart the Suricata service so the running sensor reads the updated output block. 
    $ sudo systemctl restart suricata

    Related: How to manage the Suricata service

  6. Remove any old temporary EVE check output. 
    $ sudo rm -rf /tmp/eve-check

    Use only the /tmp/eve-check path for this cleanup step. Do not point this command at /var/log/suricata or another live log directory.

  7. Create the temporary EVE check directory. 
    $ sudo mkdir -p /tmp/eve-check
  8. Run Suricata against a known packet capture. 
    $ sudo suricata -r sample.pcap -c /etc/suricata/suricata.yaml -l /tmp/eve-check
i: suricata: This is Suricata version 8.0.3 RELEASE running in USER mode
i: threads: Threads created -> RX: 1 W: 8 FM: 1 FR: 1   Engine started.
i: suricata: Signal Received.  Stopping engine.
i: pcap: read 1 file, 1 packets, 75 bytes

    Replace sample.pcap with a small approved capture from a lab or maintenance window. The -l option keeps the generated EVE file separate from the service log directory.

  9. Parse the temporary eve.json file for a stats event. 
    $ sudo jq -r 'select(.event_type=="stats").stats.decoder.pkts' /tmp/eve-check/eve.json
1

    A number means jq parsed a stats record from eve.json. Use an alert-specific jq filter when the packet capture is expected to trigger a rule.
    Tool: JSON Validator

  10. Remove the temporary EVE check directory. 
    $ sudo rm -rf /tmp/eve-check