Product News & Announcements
All the latest news and announcements about Splunk products. Subscribe and never miss an update!

How SC4S Makes Suricata Logs Ingestion Simple

mstopa
Splunk Employee
Splunk Employee

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has already proven its position as a superior solution for storing and analyzing Suricata logs, offering unparalleled capabilities for security teams to gain deep insights into network traffic patterns and potential threats. Now, SC4S (Splunk Connect for Syslog) is changing the game by delivering faster, more reliable, and highly scalable Suricata log ingestion.

In this post, we will showcase a simple setup of Suricata with Splunk using SC4S.

 

Using Splunk to Analyze Suricata Logs

 

Suricata is a high-performance, open-source network security monitoring system used primarily as an Intrusion Detection System (IDS), Intrusion Prevention System (IPS), and Network Security Monitoring (NSM) tool.

Suricata generates various log types, each serving specific monitoring purposes. For example, alert logs are generated when the system identifies threats. Flow logs include session data including duration and byte counts. File info logs contain extracted file metadata with names, types, sizes, and hashes.

Several Technology Add-ons (TAs) are available for Suricata log processing and analysis. Some of them are simple, lightweight solutions, while others are full-featured integrations with comprehensive dashboards.

mstopa_0-1753187039334.png

 

Stamus dashboard. Source: https://splunkbase.splunk.com/app/5262

 

Set Up Suricata

 

Step 1: Install Suricata

Refer to the Suricata documentation for installation instructions. For example, on Ubuntu, you can use the APT repositories:

sudo apt install software-properties-common
sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt update
sudo apt install suricata

 

Step 2: Configure Network Interface

Edit `/etc/suricata/suricata.yaml` to specify your network interface in the `af-packet` section.

First, identify the network interface name by running the following:

ip addr

 

In this example, the interface is `ens5`:

mstopa_0-1753187110098.png

 

 

Then update the interface in the `af-packet` section:

mstopa_1-1753187129939.png

 

 

Step 3: Install and Update Signatures

Suricata uses Signatures to trigger alerts so it's necessary to install those and keep them updated.

sudo suricata-update
sudo systemctl restart suricata

 

Step 4: Enable EVE JSON Logging

EVE (Extensible Event Format) logs provide structured JSON output that's ideal for Splunk ingestion. Enable this in your Suricata configuration for rich, parseable log data:

mstopa_3-1753184736212.png

Then restart the service:

sudo systemctl restart suricata

 

Set Up SC4S

 

Why SC4S

SC4S (Splunk Connect for Syslog) simplifies the ingestion process by automatically parsing and enriching Suricata logs. Designed specifically to handle syslog messages at scale, SC4S provides advanced features including filtering, parsing, load balancing, and disk-based buffering.

SC4S comes preconfigured with Splunk best practices: correct metadata, sourcetype assignment, index routing, and source tagging. Available as a container, it deploys easily in modern environments such as Kubernetes. The solution includes built-in health checks, metrics, and scalable deployment patterns. Thanks to syslog-ng's efficient C-based engine, SC4S handles high-throughput syslog ingestion with minimal resource usage.

 

Install SC4S

Follow the Quickstart Guide in the SC4S documentation to launch an SC4S instance. The default configuration is ready to correctly parse and process Suricata logs out of the box.

 

Setup Suricata - SC4S Connection

 

Step 1: Configure Syslog Transport

Install a syslog daemon on the Suricata host and configure it to forward logs to your SC4S instance:

sudo apt install syslog-ng

# Configure destination in /etc/syslog-ng/syslog-ng.conf
destination d_net { tcp("your-sc4s-host" port(514) log_fifo_size(1000)); };

# Uncomment the following line in /etc/syslog-ng/syslog-ng.conf
log { source(s_src); destination(d_net); };

sudo systemctl enable syslog-ng
sudo systemctl start syslog-ng

 

Step 2: Redirect Suricata Logs to Syslog

In `suricata.yaml`, change the eve-log filetype from regular to syslog:

mstopa_4-1753184907464.png

 

Then restart the service:

sudo systemctl restart suricata

 

Step 3: Confirm Successful Log Delivery in Splunk

Check that logs are properly sourcetyped and parsed out of the box:

mstopa_5-1753184959476.png

 

Step 4 (Optional): Change Suricata Sourcetype to Simple

While most TAs are compatible with the default sourcetypes, some may require simple sourcetypes.

 

In `/opt/sc4s/env_file`, add:

SC4S_SURICATA_SIMPLE_SOURCETYPE=yes

 

Then run:

sudo systemctl restart sc4s

 

Notice that compound sourcetypes such as ‘suricata:flow’, ‘suricata:dns’, etc. have been replaced with a simple sourcetype `suricata`.

mstopa_6-1753185062050.png

 

Splunk Configuration

 

Step 1: Install Your Chosen TA

  1. Download the TA from Splunkbase
  2. Install via `Apps` → `Manage Apps` → `Install app from file`
  3. Enable the add-on.

 

Step 2 (Optional): Enable Data Model Acceleration

For optimal performance with some TAs (like `CCX Add-on for Suricata`), enable acceleration for these data models:

  • Alerts
  • Intrusion Detection
  • Network Resolution (DNS)
  • Network Sessions
  • Network Traffic
  • Web

Go to `Settings` -> `Data Models`. For each listed model, click `Edit` -> `Edit Acceleration` -> `Accelerate`.

 

Step 3 Test Your TA

Go to `Apps` and select your TA to view its reports and dashboards.

For example with `CCX Add-on for Suricata`:

mstopa_7-1753185190966.png

 

Or Stamus:

mstopa_8-1753185203444.png

 

Conclusion

 

Integrating Suricata with Splunk through SC4S creates a robust network security monitoring solution. The combination of Suricata's powerful detection capabilities, SC4S's efficient log processing, and Splunk's analytical power provides comprehensive visibility into your network security posture.

Whether you're just starting with network security monitoring or looking to enhance your existing capabilities, this integration offers a proven path to improved threat detection and incident response.

Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...