How to view Suricata alert logs

Suricata alert logs show which rule matched traffic and which endpoints were involved. Reading them after a live sensor run or packet-capture test confirms whether the expected detection fired and gives the fields needed for triage.

The compact /var/log/suricata/fast.log file is built for quick scanning. The structured /var/log/suricata/eve.json file carries the same alert as JSON, including fields such as timestamp, signature_id, proto, source address, destination address, and optional flow details.

The compact line confirms that an alert exists, and the JSON record supplies the exact fields for a ticket, incident note, or rule test result. The default local log directory is /var/log/suricata/; adjust the path only when the active suricata.yaml writes logs somewhere else.

Steps to view Suricata alert logs:

Open the compact Suricata alert log.

$ sudo cat /var/log/suricata/fast.log
06/25/2026-07:14:02.000000  [**] [1:1000001:1] LOCAL TEST alert log view [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.0.2.10:4444 -> 198.51.100.20:80

fast.log keeps each alert on one line with the timestamp, generator ID, signature ID, revision, message, classification, priority, protocol, and endpoints.

Read the same alert from eve.json with the triage fields only.

$ sudo jq 'select(.event_type=="alert") | {timestamp, signature_id: .alert.signature_id, signature: .alert.signature, proto, src_ip, src_port, dest_ip, dest_port}' /var/log/suricata/eve.json
{
  "timestamp": "2026-06-25T07:14:02.000000+0000",
  "signature_id": 1000001,
  "signature": "LOCAL TEST alert log view",
  "proto": "TCP",
  "src_ip": "192.0.2.10",
  "src_port": 4444,
  "dest_ip": "198.51.100.20",
  "dest_port": 80
}

eve.json must contain alert events before this filter prints anything.
Related: How to enable Suricata EVE JSON output
Related: How to read Suricata eve.json logs

Open the full JSON record for the signature ID from the compact log.

$ sudo jq 'select(.event_type=="alert" and .alert.signature_id == 1000001)' /var/log/suricata/eve.json
{
  "timestamp": "2026-06-25T07:14:02.000000+0000",
  "flow_id": 562953329878231,
  "pcap_cnt": 1,
  "event_type": "alert",
  "src_ip": "192.0.2.10",
  "src_port": 4444,
  "dest_ip": "198.51.100.20",
  "dest_port": 80,
  "proto": "TCP",
  "ip_v": 4,
  "pkt_src": "wire/pcap",
  "alert": {
    "action": "allowed",
    "gid": 1,
    "signature_id": 1000001,
    "rev": 1,
    "signature": "LOCAL TEST alert log view",
    "category": "Potentially Bad Traffic",
    "severity": 2
  },
  "direction": "to_server",
  "flow": {
    "pkts_toserver": 1,
    "pkts_toclient": 0,
    "bytes_toserver": 129,
    "bytes_toclient": 0,
    "start": "2026-06-25T07:14:02.000000+0000",
    "src_ip": "192.0.2.10",
    "dest_ip": "198.51.100.20",
    "src_port": 4444,
    "dest_port": 80
  }
}

Use the signature ID from fast.log so several alerts in the JSON file do not get mixed into the same investigation note.

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.