# read_suricata

Parse an incoming [Suricata EVE JSON](https://suricata.readthedocs.io/en/latest/output/eve/eve-json-output.html) stream into events.

```tql
read_suricata [schema_only=bool, raw=bool]
```

## Description

The [Suricata](https://suricata.io) network security monitor converts network traffic into a stream of metadata events and provides a rule matching engine to generate alerts. Suricata emits events in the [EVE JSON](https://suricata.readthedocs.io/en/latest/output/eve/eve-json-output.html) format. The output is a single stream of events where the `event_type` field disambiguates the event type.

Tenzir’s [`JSON`](https://preview.docs.tenzir.com/375/375/reference/operators/read_json.md) can handle EVE JSON correctly, but for the schema names to match the value from the `event_type` field, you need to pass the option `selector=event_type:suricata`. The `suricata` parser does this by default.

### `schema_only = bool (optional)`

When working with an existing schema, this option will ensure that the output schema has *only* the fields from that schema.

### `raw = bool (optional)`

Use only the raw types that are native to the parsed format. Fields that have a type specified in the chosen `schema` will still be parsed according to the schema.

This means that JSON numbers will be parsed as numbers, but every JSON string remains a string, unless the field is in the `schema`.

## Examples

### Parse a Suricata EVE JSON log file

Here’s an `eve.log` sample:

```json
{"timestamp":"2011-08-12T14:52:57.716360+0200","flow_id":1031464864740687,"pcap_cnt":83,"event_type":"alert","src_ip":"147.32.84.165","src_port":1181,"dest_ip":"78.40.125.4","dest_port":6667,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2017318,"rev":4,"signature":"ET CURRENT_EVENTS SUSPICIOUS IRC - PRIVMSG *.(exe|tar|tgz|zip)  download command","category":"Potentially Bad Traffic","severity":2},"flow":{"pkts_toserver":27,"pkts_toclient":35,"bytes_toserver":2302,"bytes_toclient":4520,"start":"2011-08-12T14:47:24.357711+0200"},"payload":"UFJJVk1TRyAjemFyYXNhNDggOiBzbXNzLmV4ZSAoMzY4KQ0K","payload_printable":"PRIVMSG #zarasa48 : smss.exe (368)\r\n","stream":0,"packet":"AB5J2xnDCAAntbcZCABFAABMGV5AAIAGLlyTIFSlTih9BASdGgvw0QvAxUWHdVAY+rCL4gAAUFJJVk1TRyAjemFyYXNhNDggOiBzbXNzLmV4ZSAoMzY4KQ0K","packet_info":{"linktype":1}}
{"timestamp":"2011-08-12T14:55:22.154618+0200","flow_id":2247896271051770,"pcap_cnt":775,"event_type":"dns","src_ip":"147.32.84.165","src_port":1141,"dest_ip":"147.32.80.9","dest_port":53,"proto":"UDP","dns":{"type":"query","id":553,"rrname":"irc.freenode.net","rrtype":"A","tx_id":0}}
{"timestamp":"2011-08-12T16:59:22.181050+0200","flow_id":472067367468746,"pcap_cnt":25767,"event_type":"fileinfo","src_ip":"74.207.254.18","src_port":80,"dest_ip":"147.32.84.165","dest_port":1046,"proto":"TCP","http":{"hostname":"www.nmap.org","url":"/","http_user_agent":"Mozilla/4.0 (compatible)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":301,"redirect":"http://nmap.org/","length":301},"app_proto":"http","fileinfo":{"filename":"/","magic":"HTML document, ASCII text","gaps":false,"state":"CLOSED","md5":"70041821acf87389e40ddcb092004184","sha1":"10395ab3566395ca050232d2c1a0dbad69eb5fd2","sha256":"2e4c462b3424afcc04f43429d5f001e4ef9a28143bfeefb9af2254b4df3a7c1a","stored":true,"file_id":1,"size":301,"tx_id":0}}
```

Import it as follows:

```tql
read_file "eve.log"
read_suricata
import
```

### Read Suricata EVE JSON from a Unix domain socket

Instead of writing to a file, Suricata can also connect to a Unix domain socket that Tenzir listens on. This saves a filesystem round-trip. This requires the following settings in your `suricata.yaml`:

```yaml
outputs:
  - eve-log:
      enabled: yes
      filetype: unix_stream
      filename: /run/suricata/eve.sock
```

Start Tenzir before Suricata so that Tenzir creates the socket and accepts the incoming EVE JSON stream:

```tql
accept_unix_socket "/run/suricata/eve.sock" {
  read_suricata
}
```

Suricata’s `unix-command` socket is separate from EVE output. It is a control socket for tools such as `suricatasc`, not an event stream for [`read_suricata`](https://preview.docs.tenzir.com/375/375/reference/operators/read_suricata.md).

## See Also

* [`read_json`](https://preview.docs.tenzir.com/375/375/reference/operators/read_json.md)
* [`accept_unix_socket`](https://preview.docs.tenzir.com/375/375/reference/operators/accept_unix_socket.md)
* [Suricata](https://preview.docs.tenzir.com/375/375/integrations/suricata.md)