Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has already proven its position as a superior solution for storing and analyzing Suricata logs, offering unparalleled capabilities for security teams to gain deep insights into network traffic patterns and potential threats. Now, SC4S (Splunk Connect for Syslog) is changing the game by delivering faster, more reliable, and highly scalable Suricata log ingestion.
In this post, we will showcase a simple setup of Suricata with Splunk using SC4S.
Using Splunk to Analyze Suricata Logs
Suricata is a high-performance, open-source network security monitoring system used primarily as an Intrusion Detection System (IDS), Intrusion Prevention System (IPS), and Network Security Monitoring (NSM) tool.
Suricata generates various log types, each serving specific monitoring purposes. For example, alert logs are generated when the system identifies threats. Flow logs include session data including duration and byte counts. File info logs contain extracted file metadata with names, types, sizes, and hashes.
Several Technology Add-ons (TAs) are available for Suricata log processing and analysis. Some of them are simple, lightweight solutions, while others are full-featured integrations with comprehensive dashboards.
Stamus dashboard. Source: https://splunkbase.splunk.com/app/5262
Set Up Suricata
Step 1: Install Suricata
Refer to the Suricata documentation for installation instructions. For example, on Ubuntu, you can use the APT repositories:
sudo apt install software-properties-common
sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt update
sudo apt install suricata
Step 2: Configure Network Interface
Edit `/etc/suricata/suricata.yaml` to specify your network interface in the `af-packet` section.
First, identify the network interface name by running the following:
ip addr
In this example, the interface is `ens5`:
Then update the interface in the `af-packet` section:
Step 3: Install and Update Signatures
Suricata uses Signatures to trigger alerts so it's necessary to install those and keep them updated.
sudo suricata-update
sudo systemctl restart suricata
Step 4: Enable EVE JSON Logging
EVE (Extensible Event Format) logs provide structured JSON output that's ideal for Splunk ingestion. Enable this in your Suricata configuration for rich, parseable log data:
Then restart the service:
sudo systemctl restart suricata
Set Up SC4S
Why SC4S
SC4S (Splunk Connect for Syslog) simplifies the ingestion process by automatically parsing and enriching Suricata logs. Designed specifically to handle syslog messages at scale, SC4S provides advanced features including filtering, parsing, load balancing, and disk-based buffering.
SC4S comes preconfigured with Splunk best practices: correct metadata, sourcetype assignment, index routing, and source tagging. Available as a container, it deploys easily in modern environments such as Kubernetes. The solution includes built-in health checks, metrics, and scalable deployment patterns. Thanks to syslog-ng's efficient C-based engine, SC4S handles high-throughput syslog ingestion with minimal resource usage.
Install SC4S
Follow the Quickstart Guide in the SC4S documentation to launch an SC4S instance. The default configuration is ready to correctly parse and process Suricata logs out of the box.
Setup Suricata - SC4S Connection
Step 1: Configure Syslog Transport
Install a syslog daemon on the Suricata host and configure it to forward logs to your SC4S instance:
sudo apt install syslog-ng
# Configure destination in /etc/syslog-ng/syslog-ng.conf
destination d_net { tcp("your-sc4s-host" port(514) log_fifo_size(1000)); };
# Uncomment the following line in /etc/syslog-ng/syslog-ng.conf
log { source(s_src); destination(d_net); };
sudo systemctl enable syslog-ng
sudo systemctl start syslog-ng
Step 2: Redirect Suricata Logs to Syslog
In `suricata.yaml`, change the eve-log filetype from regular to syslog:
Then restart the service:
sudo systemctl restart suricata
Step 3: Confirm Successful Log Delivery in Splunk
Check that logs are properly sourcetyped and parsed out of the box:
Step 4 (Optional): Change Suricata Sourcetype to Simple
While most TAs are compatible with the default sourcetypes, some may require simple sourcetypes.
In `/opt/sc4s/env_file`, add:
SC4S_SURICATA_SIMPLE_SOURCETYPE=yes
Then run:
sudo systemctl restart sc4s
Notice that compound sourcetypes such as ‘suricata:flow’, ‘suricata:dns’, etc. have been replaced with a simple sourcetype `suricata`.
Splunk Configuration
Step 1: Install Your Chosen TA
- Download the TA from Splunkbase
- Install via `Apps` → `Manage Apps` → `Install app from file`
- Enable the add-on.
Step 2 (Optional): Enable Data Model Acceleration
For optimal performance with some TAs (like `CCX Add-on for Suricata`), enable acceleration for these data models:
- Alerts
- Intrusion Detection
- Network Resolution (DNS)
- Network Sessions
- Network Traffic
- Web
Go to `Settings` -> `Data Models`. For each listed model, click `Edit` -> `Edit Acceleration` -> `Accelerate`.
Step 3 Test Your TA
Go to `Apps` and select your TA to view its reports and dashboards.
For example with `CCX Add-on for Suricata`:
Or Stamus:
Conclusion
Integrating Suricata with Splunk through SC4S creates a robust network security monitoring solution. The combination of Suricata's powerful detection capabilities, SC4S's efficient log processing, and Splunk's analytical power provides comprehensive visibility into your network security posture.
Whether you're just starting with network security monitoring or looking to enhance your existing capabilities, this integration offers a proven path to improved threat detection and incident response.
