Suricata writes runtime counters that show how much traffic the engine has decoded, tracked, and inspected. The human-readable stats.log file is a quick health surface for checking whether a sensor is processing packets, building flows, and accumulating drops or stream gaps during a capture.
Packaged Linux installs commonly write the file at /var/log/suricata/stats.log when local file output is enabled. Each block starts with a Date line and uptime, followed by Counter, TM Name, and Value columns. Suricata writes stats records at a fixed interval, and the default interval documented by upstream is 8 seconds.
The counters in stats.log are easiest to read as a newest-block snapshot rather than as isolated lines. The file normally omits zero-valued counters, so a missing drop or gap counter usually means that counter was zero in the current block; a nonzero drop, gap, memcap, or emergency-mode counter deserves follow-up in capture, tuning, or rule-performance work.
Related: How to read Suricata eve.json logs
Related: How to tune Suricata performance
Steps to read Suricata stats logs:
- Print the current stats.log block.
$ sudo cat /var/log/suricata/stats.log ------------------------------------------------------------ Date: 6/25/2026 -- 07:14:37 (uptime: 0d, 00h 00m 07s) ------------------------------------------------------------ Counter | TM Name | Value ------------------------------------------------------------ decoder.pkts | Total | 3 decoder.bytes | Total | 213 decoder.ipv4 | Total | 3 decoder.ethernet | Total | 3 decoder.udp | Total | 3 ##### snipped ##### flow.total | Total | 3 app_layer.flow.dns_udp | Total | 3 flow.memuse | Total | 11428608
Column padding is shortened here for readability; the counter names and values match the stats.log block. Use the newest complete block for the current packet-processing state, and compare two complete blocks only when checking whether counters are still increasing during active traffic.
- Check the Date line and uptime at the top of the block.
A stale timestamp means the sensor is not writing new stats, the service stopped, or a different log path is being read.
- Read the decoder counters for traffic volume and protocol mix.
decoder.pkts | Total | 3 decoder.bytes | Total | 213 decoder.ipv4 | Total | 3 decoder.udp | Total | 3
decoder.pkts and decoder.bytes show processed packet and byte totals for the current engine run. Protocol counters such as decoder.tcp, decoder.udp, decoder.ipv4, and decoder.ipv6 show what the decoder recognized.
- Read the flow and application-layer counters.
flow.total | Total | 3 flow.udp | Total | 3 app_layer.flow.dns_udp | Total | 3 app_layer.tx.dns_udp | Total | 3
flow.total confirms that Suricata built flow state. app_layer.flow.* and app_layer.tx.* counters show protocol parsers that saw traffic, such as DNS over UDP.
- Check live-capture drop counters when they appear.
capture.kernel_packets | W#01-enp1s0 | 12094418 capture.kernel_drops | W#01-enp1s0 | 234 tcp.reassembly_gap | Detect | 17
capture.kernel_drops means the capture layer discarded packets before Suricata could inspect them. tcp.reassembly_gap means TCP stream data was missing or could not be reassembled; packet loss, checksum problems, and memory pressure can all contribute.
- Check alert and detection counters when alert volume matters.
detect.alert | Detect | 12
detect.alert is cumulative for the engine run. A rising packet count with no expected alert activity usually points to rules, HOME_NET scope, suppression, or logging configuration rather than to the stats file itself.
- Confirm the block matches the sensor state before escalating.
decoder.pkts | Total | 3 decoder.bytes | Total | 213 decoder.udp | Total | 3 flow.total | Total | 3 app_layer.flow.dns_udp | Total | 3
The block shows packet decoding, flow creation, and DNS parser activity from the same run, with no nonzero drop or TCP gap counters in the printed stats block.
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.
