Hi everyone! In this article I will walk you through installing Suricata on Ubuntu 24.04 and integrating its logs with Wazuh for centralized monitoring.
Installing Suricata
Start by adding the official Suricata PPA, then update the package cache and install Suricata:
sudo add-apt-repository ppa:oisf/suricata-stable -y
sudo apt update
sudo apt install suricata -yEnable Suricata to start automatically and launch the service:
sudo systemctl enable suricata
sudo systemctl start suricataSuricata stores its configuration in /etc/suricata/. Custom, community, or commercial rule files can be placed under /etc/suricata/rules/.
Edit the main configuration file to fit your environment:
sudo nano /etc/suricata/suricata.yamlUpdate the network variables and capture interface as needed. For example:
HOME_NET: "[10.0.0.0/24]"
EXTERNAL_NET: "!$HOME_NET"
EXTERNAL_NET: "any"
af-packet:
- interface: enp1s0 Pull the latest rule updates and restart the service to apply the changes:
sudo suricata-update
sudo systemctl restart suricataSuricata writes its logs under the /var/log/suricata/ folder by default.
Integrating Suricata with Wazuh
On the Wazuh agent, edit the main configuration file so the agent monitors the Suricata logs:
sudo nano /var/ossec/etc/ossec.confAdd the following <localfile> entries inside the <ossec_config> block:
<!-- Suricata -->
<localfile>
<log_format>syslog</log_format>
<location>/var/log/suricata/fast.log</location>
</localfile>
<localfile>
<log_format>json</log_format>
<location>/var/log/suricata/eve.json</location>
</localfile>Save the file and restart the Wazuh agent:
sudo systemctl restart wazuh-agentWazuh will now ingest Suricata alerts and events, making them available in the Wazuh dashboard for correlation and alerting.
Thanks for reading keep up the good work !