This document describes how you can view SURICATA_EVE logs in Google Security Operations.
The following deployment architecture diagram shows how SURICATA_EVE and Logstash are configured to send logs to Google Security Operations.
Suricata saves data to an eve.json file.
Logstash watches the eve.json file and forwards new logs to a syslog server. The syslog server can be a forwarder on the same VM or on a separate VM.
The syslog server uses the Google Security Operations forwarder to listen for new logs over a specific port.
The Google Security Operations forwarder forwards the logs to a Google Security Operations instance.
Before you begin
Ensure that you have set up access control for your organization and resources
using Identity and Access Management (IAM). For more information about access control, see
Access control for organizations with IAM.
Ensure that all systems in the deployment architecture are configured in the UTC time zone.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["Collect Suricata Eve logs \nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n\nThis document describes how you can view SURICATA_EVE logs in Google Security Operations.\n\nThe following deployment architecture diagram shows how SURICATA_EVE and Logstash are configured to send logs to Google Security Operations.\n\n1. Suricata saves data to an `eve.json` file.\n2. Logstash watches the `eve.json` file and forwards new logs to a syslog server. The syslog server can be a forwarder on the same VM or on a separate VM.\n3. The syslog server uses the Google Security Operations forwarder to listen for new logs over a specific port.\n4. The Google Security Operations forwarder forwards the logs to a Google Security Operations instance.\n\nBefore you begin\n\n- Ensure that you have set up access control for your organization and resources\n using Identity and Access Management (IAM). For more information about access control, see\n [Access control for organizations with IAM](/resource-manager/docs/access-control-org).\n\n- Ensure that all systems in the deployment architecture are configured in the UTC time zone.\n\nConfigure Suricata and related software\n\n1. Create an [internal network load balancer](/load-balancing/docs/internal/setting-up-internal#lb-packet-mirroring).\n\n2. Set up [packet mirroring](/vpc/docs/using-packet-mirroring).\n\n3. Install [Suricata](https://docs.suricata.io/en/latest/quickstart.html)\n and confirm that alerts are being saved to the `eve.json` file.\n Note where the `eve.json` file is located.\n\n4. Install [Logstash](https://www.elastic.co/guide/en/elastic-stack/current/installing-elastic-stack.html#install-order-elastic-stack) on the Suricata server.\n\n5. Edit the Logstash configuration file (`/etc/logstash/conf.d/logstash.conf`):\n\n a. Add the following code:\n - Change `SYSLOG_SERVER` to the location of your syslog server.\n - Make sure the port number (in this example, `10520`) matches the port number in the Google Security Operations forwarder configuration.\n\n ```json\n input {\n file {\n path =\u003e \"/var/log/suricata/eve.json\"\n start_position =\u003e \"end\"\n sincedb_path =\u003e \"/dev/null\"\n }\n }\n output {\n udp {\n host =\u003e \"SYSLOG_SERVER\"\n port =\u003e 10520\n codec =\u003e line { format =\u003e \"%{message}\"}\n }\n }\n ```\n\n b. Change the `output.udp.host` IP address:\n - If the Google Security Operations forwarder is on a different system than the syslog server, use the IP address of the syslog server.\n\n - If the Google Security Operations forwarder is on the same system as the syslog server, use an internal IP address.\n\nYou can use another log forwarder solution, such as [rsyslog](https://www.rsyslog.com/), with a configuration that removes the syslog header.\n\nIngest the SURICATA_EVE logs\n\nFollow the instructions in [Ingest Google Cloud logs to Google Security Operations](/chronicle/docs/ingestion/cloud/ingest-gcp-logs).\n\nIf you encounter issues when ingesting SURICATA_EVE logs, [contact Google Security Operations support](/chronicle/docs/support).\n\nFor more information about how Google Security Operations ingests data, see [Data ingestion to Google Security Operations overview](/chronicle/docs/data-ingestion-flow).\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
