Back to Blog

Suricata + Wazuh: Getting Network Alerts into a SIEM

December 15, 20251 min read
#Suricata#Wazuh#Networking

Suricata + Wazuh: Getting Network Alerts into a SIEM

Host logs are great, but they don't tell the whole story. If a compromised IoT device is scanning your network, your host agents might never see it. That's where Suricata comes in.

The Architecture

  1. Suricata sits on the gateway (or mirrored port) and analyzes traffic.
  2. It writes alerts to /var/log/suricata/eve.json.
  3. The Wazuh Agent on that box is configured to read that JSON file.
  4. Alerts appear in the Wazuh Dashboard.

The Config

It wasn't plug-and-play. I had to modify the ossec.conf file on the agent:

<localfile>
  <log_format>json</log_format>
  <location>/var/log/suricata/eve.json</location>
</localfile>

Why This Matters

By correlating network data with host data, you can see the attack chain.

  • Network Alert: "ET SCAN Nmap Scripting Engine User-Agent" (Source: Attacker IP)
  • Host Alert: "SSHD Authentication Failed" (Target: Ubuntu Server)

Seeing these two disparate events in one dashboard is the essence of a SOC Analyst's job.