How to enable Suricata EVE JSON output

Suricata writes its richest event stream through EVE JSON, the newline-delimited JSON log used for alerts, flow records, protocol metadata, and statistics. Enabling the eve-log output gives local operators and downstream collectors one parseable file instead of spreading useful context across separate text logs.

The packaged configuration normally stores this output under /var/log/suricata/eve.json through the default-log-dir setting and the outputs list in /etc/suricata/suricata.yaml. Many installs already ship with eve-log enabled, but custom baselines, hardened configs, or copied snippets can disable it or remove event types that a collector expects.

Keep the change narrow: enable the file output, test the YAML, restart the running sensor, and parse one EVE event from an isolated run or approved packet capture. The offline verification writes temporary output under /tmp/eve-check so the production eve.json file is not overwritten while the setting is checked.

Steps to enable Suricata EVE JSON output:

Back up the active Suricata configuration file.

$ sudo cp -a /etc/suricata/suricata.yaml /etc/suricata/suricata.yaml.bak

Open /etc/suricata/suricata.yaml in a text editor.
```
$ sudoedit /etc/suricata/suricata.yaml
```

Set the eve-log output to a regular file named eve.json.

outputs:
  - eve-log:
      enabled: yes
      filetype: regular
      filename: eve.json
      types:
        - alert:
            tagged-packets: yes
        - http:
            extended: yes
        - dns:
            requests: yes
            responses: yes
        - tls:
            extended: yes
        - stats:
            totals: yes
            threads: no
            deltas: no
        - flow

Keep any additional event types already required by your sensor or collector. This focused block writes alerts, selected protocol metadata, statistics, and flow records to the same EVE file.

Test the Suricata configuration before applying the change.

$ sudo suricata -T -c /etc/suricata/suricata.yaml
i: suricata: This is Suricata version 8.0.3 RELEASE running in SYSTEM mode
i: suricata: Configuration provided was successfully loaded. Exiting.

Restart the Suricata service so the running sensor reads the updated output block.
```
$ sudo systemctl restart suricata
```
Related: How to manage the Suricata service
Remove any old temporary EVE check output.
```
$ sudo rm -rf /tmp/eve-check
```
Use only the /tmp/eve-check path for this cleanup step. Do not point this command at /var/log/suricata or another live log directory.
Create the temporary EVE check directory.
```
$ sudo mkdir -p /tmp/eve-check
```

Run Suricata against a known packet capture.

$ sudo suricata -r sample.pcap -c /etc/suricata/suricata.yaml -l /tmp/eve-check
i: suricata: This is Suricata version 8.0.3 RELEASE running in USER mode
i: threads: Threads created -> RX: 1 W: 8 FM: 1 FR: 1   Engine started.
i: suricata: Signal Received.  Stopping engine.
i: pcap: read 1 file, 1 packets, 75 bytes

Replace sample.pcap with a small approved capture from a lab or maintenance window. The -l option keeps the generated EVE file separate from the service log directory.

Parse the temporary eve.json file for a stats event.
```
$ sudo jq -r 'select(.event_type=="stats").stats.decoder.pkts' /tmp/eve-check/eve.json
1
```
A number means jq parsed a stats record from eve.json. Use an alert-specific jq filter when the packet capture is expected to trigger a rule.
Tool: JSON Validator
Remove the temporary EVE check directory.
```
$ sudo rm -rf /tmp/eve-check
```

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.