[EN] Wazuh Suricata Integration

Hi everyone! In this article I will walk you through installing Suricata on Ubuntu 24.04 and integrating its logs with Wazuh for centralized monitoring.

Installing Suricata

Start by adding the official Suricata PPA, then update the package cache and install Suricata:

1sudo add-apt-repository ppa:oisf/suricata-stable -y
2sudo apt update
3sudo apt install suricata -y

Enable Suricata to start automatically and launch the service:

1sudo systemctl enable suricata
2sudo systemctl start suricata

Suricata stores its configuration in /etc/suricata/. Custom, community, or commercial rule files can be placed under /etc/suricata/rules/.

Edit the main configuration file to fit your environment:

1sudo nano /etc/suricata/suricata.yaml

Update the network variables and capture interface as needed. For example:

1HOME_NET: "[10.0.0.0/24]"  
2  
3  
4EXTERNAL_NET: "!$HOME_NET"  
5EXTERNAL_NET: "any"  
6  
7  
8af-packet:  
9- interface: enp1s0  

Pull the latest rule updates and restart the service to apply the changes:

1sudo suricata-update
2sudo systemctl restart suricata

Suricata writes its logs under the /var/log/suricata/ folder by default.

Integrating Suricata with Wazuh

On the Wazuh agent, edit the main configuration file so the agent monitors the Suricata logs:

1sudo nano /var/ossec/etc/ossec.conf

Add the following <localfile> entries inside the <ossec_config> block:

 1<!-- Suricata -->
 2  <localfile>
 3    <log_format>syslog</log_format>
 4    <location>/var/log/suricata/fast.log</location>
 5  </localfile>
 6
 7  <localfile>
 8    <log_format>json</log_format>
 9    <location>/var/log/suricata/eve.json</location>
10  </localfile>

Save the file and restart the Wazuh agent:

1sudo systemctl restart wazuh-agent

Wazuh will now ingest Suricata alerts and events, making them available in the Wazuh dashboard for correlation and alerting.

Thanks for reading keep up the good work !