Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has already proven its position as a superior solution for storing and analyzing Suricata logs, offering unparalleled capabilities for security teams to gain deep insights into network traffic patterns and potential threats. Now, SC4S (Splunk Connect for Syslog) is changing the game by delivering faster, more reliable, and highly scalable Suricata log ingestion. In this post, we will showcase a simple setup of Suricata with Splunk using SC4S.   Using Splunk to Analyze Suricata Logs   Suricata is a high-performance, open-source network security monitoring system used primarily as an Intrusion Detection System (IDS), Intrusion Prevention System (IPS), and Network Security Monitoring (NSM) tool. Suricata generates various log types, each serving specific monitoring purposes. For example, alert logs are generated when the system identifies threats. Flow logs include session data including duration and byte counts. File info logs contain extracted file metadata with names, types, sizes, and hashes. Several Technology Add-ons (TAs) are available for Suricata log processing and analysis. Some of them are simple, lightweight solutions, while others are full-featured integrations with comprehensive dashboards.   Stamus dashboard. Source: https://splunkbase.splunk.com/app/5262   Set Up Suricata   Step 1: Install Suricata Refer to the Suricata documentation for installation instructions. For example, on Ubuntu, you can use the APT repositories: sudo apt install software-properties-common sudo add-apt-repository ppa:oisf/suricata-stable sudo apt update sudo apt install suricata   Step 2: Configure Network Interface Edit `/etc/suricata/suricata.yaml` to specify your network interface in the `af-packet` section. First, identify the network interface name by running the following: ip addr   In this example, the interface is `ens5`:     Then update the interface in the `af-packet` section:     Step 3: Install and Update Signatures Suricata uses Signatures to trigger alerts so it's necessary to install those and keep them updated. sudo suricata-update sudo systemctl restart suricata   Step 4: Enable EVE JSON Logging EVE (Extensible Event Format) logs provide structured JSON output that's ideal for Splunk ingestion. Enable this in your Suricata configuration for rich, parseable log data: Then restart the service: sudo systemctl restart suricata   Set Up SC4S   Why SC4S SC4S (Splunk Connect for Syslog) simplifies the ingestion process by automatically parsing and enriching Suricata logs. Designed specifically to handle syslog messages at scale, SC4S provides advanced features including filtering, parsing, load balancing, and disk-based buffering. SC4S comes preconfigured with Splunk best practices: correct metadata, sourcetype assignment, index routing, and source tagging. Available as a container, it deploys easily in modern environments such as Kubernetes. The solution includes built-in health checks, metrics, and scalable deployment patterns. Thanks to syslog-ng's efficient C-based engine, SC4S handles high-throughput syslog ingestion with minimal resource usage.   Install SC4S Follow the Quickstart Guide in the SC4S documentation to launch an SC4S instance. The default configuration is ready to correctly parse and process Suricata logs out of the box.   Setup Suricata - SC4S Connection   Step 1: Configure Syslog Transport Install a syslog daemon on the Suricata host and configure it to forward logs to your SC4S instance: sudo apt install syslog-ng # Configure destination in /etc/syslog-ng/syslog-ng.conf destination d_net { tcp("your-sc4s-host" port(514) log_fifo_size(1000)); }; # Uncomment the following line in /etc/syslog-ng/syslog-ng.conf log { source(s_src); destination(d_net); }; sudo systemctl enable syslog-ng sudo systemctl start syslog-ng   Step 2: Redirect Suricata Logs to Syslog In `suricata.yaml`, change the eve-log filetype from regular to syslog:   Then restart the service: sudo systemctl restart suricata   Step 3: Confirm Successful Log Delivery in Splunk Check that logs are properly sourcetyped and parsed out of the box:   Step 4 (Optional): Change Suricata Sourcetype to Simple While most TAs are compatible with the default sourcetypes, some may require simple sourcetypes.   In `/opt/sc4s/env_file`, add: SC4S_SURICATA_SIMPLE_SOURCETYPE=yes   Then run: sudo systemctl restart sc4s   Notice that compound sourcetypes such as ‘suricata:flow’, ‘suricata:dns’, etc. have been replaced with a simple sourcetype `suricata`.   Splunk Configuration   Step 1: Install Your Chosen TA Download the TA from Splunkbase Install via `Apps` → `Manage Apps` → `Install app from file` Enable the add-on.   Step 2 (Optional): Enable Data Model Acceleration For optimal performance with some TAs (like `CCX Add-on for Suricata`), enable acceleration for these data models: Alerts Intrusion Detection Network Resolution (DNS) Network Sessions Network Traffic Web Go to `Settings` -> `Data Models`. For each listed model, click `Edit` -> `Edit Acceleration` -> `Accelerate`.   Step 3 Test Your TA Go to `Apps` and select your TA to view its reports and dashboards. For example with `CCX Add-on for Suricata`:   Or Stamus:   Conclusion   Integrating Suricata with Splunk through SC4S creates a robust network security monitoring solution. The combination of Suricata's powerful detection capabilities, SC4S's efficient log processing, and Splunk's analytical power provides comprehensive visibility into your network security posture. Whether you're just starting with network security monitoring or looking to enhance your existing capabilities, this integration offers a proven path to improved threat detection and incident response. ... View more