Installing and Integrating Suricata in a SOC Lab with Wazuh: IDS, Logs, Correlation, and Dashboards
In a modern SOC, network traffic is one of the most valuable sources of truth. Endpoints, servers, and applications only tell part of the story: what happens on the network often anticipates or accompanies an attack long before it is detected at the host level. This is why, within my virtual SOC lab, I decided to integrate a real and mature network IDS like Suricata, connecting it directly to the Wazuh server for centralized correlation and visualization.
This article describes in detail how I installed Suricata, where I placed it within the lab architecture, how I integrated it with Wazuh, and how I built a dedicated dashboard for analyzing network alerts. The goal is not just to “make it work,” but to understand why Suricata and Wazuh work so well together and how this setup reflects what actually happens inside a real SOC.
What Suricata Is and Why It Matters in a SOC
Suricata is an open-source IDS/IPS capable of analyzing network traffic in real time using signatures, behavioral rules, and deep protocol inspection. Unlike simpler tools, Suricata understands application-layer protocols such as HTTP, DNS, TLS, SMTP, and many others, producing alerts with an exceptional level of context.
In IDS mode, Suricata passively monitors traffic and generates alerts without interfering. In IPS mode, it can be deployed inline to actively block malicious traffic. In my lab, Suricata is used strictly as an IDS, which aligns with a monitoring and analysis use case rather than active prevention.
Suricata’s real strength lies not only in detecting known patterns, but in the richness of its events: source and destination IPs, ports, protocols, triggered signatures, severity, categories, HTTP requests, DNS queries, and more. All of this becomes truly powerful when centralized and correlated by a SIEM/XDR platform like Wazuh.
Where Suricata Was Installed in the Lab
In this lab, I installed Suricata directly on a Linux server acting as a monitoring node, connected to the same NAT virtual network as the endpoint machines. This allows Suricata to observe traffic generated by the endpoints toward external networks as well as internal communications.
This design mirrors a very common real-world architecture: an IDS sensor placed at a strategic point in the network, not necessarily on every host, but where meaningful traffic flows. In enterprise environments, Suricata is often deployed on dedicated sensors or network gateways for exactly this reason.
Installing Suricata on Ubuntu Server
Installing Suricata on Ubuntu is straightforward and stable thanks to official repositories. After updating the system, I installed the package and verified that the service was running correctly.
sudo apt update
sudo apt install suricata -y
Once installed, I verified the version and service status:
suricata --version
sudo systemctl status suricata
Suricata uses /etc/suricata/suricata.yaml as its main configuration file. Here I verified the monitored network interface and, most importantly, the EVE JSON output, which is essential for integration with Wazuh. Suricata writes structured events to /var/log/suricata/eve.json, containing alerts, flows, DNS, HTTP, and other network activity.
Updating Suricata Rules
An IDS is useless without up-to-date rules. I used suricata-update to download and enable public rule sets.
sudo suricata-update
sudo systemctl restart suricata
From this point on, Suricata begins generating real alerts, even for legitimate but security-relevant traffic such as suspicious DNS queries, scanning behavior, or unusual application patterns.
Why Suricata and Wazuh Work So Well Together
Wazuh is an XDR and SIEM designed to correlate events from multiple sources: endpoints, system logs, applications, and network sensors. Suricata produces rich network events but lacks global context. It does not know whether a source IP belongs to an internal endpoint, whether a host is already compromised, or whether an alert is recurring over time.
By integrating Suricata with Wazuh, we gain:
centralized network alert collection
correlation with host-based events
SOC-level enrichment and context
advanced visualization through dashboards
alerting and automation capabilities
In practice, Suricata becomes the SOC’s “eyes on the network,” while Wazuh acts as the brain that interprets what those eyes see.
Integrating Suricata with Wazuh
The integration is clean and reliable because Wazuh natively supports Suricata. On the Wazuh server, I configured the log collector to read the eve.json file.
In the Wazuh configuration, I verified the presence of a section like this:
json
/var/log/suricata/eve.json
After restarting Wazuh, the manager immediately began decoding Suricata events, applying built-in decoders and rules. Alerts are transformed into structured SOC events with severity levels, categories, and metadata ready for visualization and correlation.
sudo systemctl restart wazuh-manager
At this point, inspecting Wazuh logs clearly shows Suricata events being ingested and processed correctly.
Building the Suricata Dashboard in Wazuh
Once events are flowing, visualization becomes the most valuable part. By accessing the Wazuh web dashboard via browser at:
https://ip.server.wazuh:443
and authenticating with the configured credentials, I used the visualization module to build a dedicated Suricata dashboard.
The dashboard includes visualizations that show:
alert volume over time
event severity distribution
attack categories
most frequent source and destination IPs
most triggered Suricata signatures
involved network protocols
These views allow rapid identification of anomalies, recurring patterns, or sudden spikes in suspicious activity. Even alerts classified as “informational” become meaningful when observed over time and within the correct context.
From Raw Traffic to SOC-Level Analysis
The real value of this integration is not the single alert, but the ability to tell a story. A suspicious DNS event detected by Suricata can be correlated with an abnormal process on an endpoint. An unusual HTTP download can be linked to subsequent file modifications on Windows or Linux systems.
This is exactly how a real SOC operates: no tool works in isolation. Suricata provides the network signal, Wazuh correlates it with the rest of the environment, and the analyst gains a coherent, investigable view.
In this lab, Suricata is not just an IDS “making noise,” but a core component of a complete, realistic monitoring ecosystem—one that is ready to simulate real attack scenarios and SOC workflows.
This article describes in detail how I installed Suricata, where I placed it within the lab architecture, how I integrated it with Wazuh, and how I built a dedicated dashboard for analyzing network alerts. The goal is not just to “make it work,” but to understand why Suricata and Wazuh work so well together and how this setup reflects what actually happens inside a real SOC.
What Suricata Is and Why It Matters in a SOC
Suricata is an open-source IDS/IPS capable of analyzing network traffic in real time using signatures, behavioral rules, and deep protocol inspection. Unlike simpler tools, Suricata understands application-layer protocols such as HTTP, DNS, TLS, SMTP, and many others, producing alerts with an exceptional level of context.
In IDS mode, Suricata passively monitors traffic and generates alerts without interfering. In IPS mode, it can be deployed inline to actively block malicious traffic. In my lab, Suricata is used strictly as an IDS, which aligns with a monitoring and analysis use case rather than active prevention.
Suricata’s real strength lies not only in detecting known patterns, but in the richness of its events: source and destination IPs, ports, protocols, triggered signatures, severity, categories, HTTP requests, DNS queries, and more. All of this becomes truly powerful when centralized and correlated by a SIEM/XDR platform like Wazuh.
Where Suricata Was Installed in the Lab
In this lab, I installed Suricata directly on a Linux server acting as a monitoring node, connected to the same NAT virtual network as the endpoint machines. This allows Suricata to observe traffic generated by the endpoints toward external networks as well as internal communications.
This design mirrors a very common real-world architecture: an IDS sensor placed at a strategic point in the network, not necessarily on every host, but where meaningful traffic flows. In enterprise environments, Suricata is often deployed on dedicated sensors or network gateways for exactly this reason.
Installing Suricata on Ubuntu Server
Installing Suricata on Ubuntu is straightforward and stable thanks to official repositories. After updating the system, I installed the package and verified that the service was running correctly.
sudo apt update
sudo apt install suricata -y
Once installed, I verified the version and service status:
suricata --version
sudo systemctl status suricata
Suricata uses /etc/suricata/suricata.yaml as its main configuration file. Here I verified the monitored network interface and, most importantly, the EVE JSON output, which is essential for integration with Wazuh. Suricata writes structured events to /var/log/suricata/eve.json, containing alerts, flows, DNS, HTTP, and other network activity.
Updating Suricata Rules
An IDS is useless without up-to-date rules. I used suricata-update to download and enable public rule sets.
sudo suricata-update
sudo systemctl restart suricata
From this point on, Suricata begins generating real alerts, even for legitimate but security-relevant traffic such as suspicious DNS queries, scanning behavior, or unusual application patterns.
Why Suricata and Wazuh Work So Well Together
Wazuh is an XDR and SIEM designed to correlate events from multiple sources: endpoints, system logs, applications, and network sensors. Suricata produces rich network events but lacks global context. It does not know whether a source IP belongs to an internal endpoint, whether a host is already compromised, or whether an alert is recurring over time.
By integrating Suricata with Wazuh, we gain:
centralized network alert collection
correlation with host-based events
SOC-level enrichment and context
advanced visualization through dashboards
alerting and automation capabilities
In practice, Suricata becomes the SOC’s “eyes on the network,” while Wazuh acts as the brain that interprets what those eyes see.
Integrating Suricata with Wazuh
The integration is clean and reliable because Wazuh natively supports Suricata. On the Wazuh server, I configured the log collector to read the eve.json file.
In the Wazuh configuration, I verified the presence of a section like this:
/var/log/suricata/eve.json
After restarting Wazuh, the manager immediately began decoding Suricata events, applying built-in decoders and rules. Alerts are transformed into structured SOC events with severity levels, categories, and metadata ready for visualization and correlation.
sudo systemctl restart wazuh-manager
At this point, inspecting Wazuh logs clearly shows Suricata events being ingested and processed correctly.
Building the Suricata Dashboard in Wazuh
Once events are flowing, visualization becomes the most valuable part. By accessing the Wazuh web dashboard via browser at:
https://ip.server.wazuh:443
and authenticating with the configured credentials, I used the visualization module to build a dedicated Suricata dashboard.
The dashboard includes visualizations that show:
alert volume over time
event severity distribution
attack categories
most frequent source and destination IPs
most triggered Suricata signatures
involved network protocols
These views allow rapid identification of anomalies, recurring patterns, or sudden spikes in suspicious activity. Even alerts classified as “informational” become meaningful when observed over time and within the correct context.
From Raw Traffic to SOC-Level Analysis
The real value of this integration is not the single alert, but the ability to tell a story. A suspicious DNS event detected by Suricata can be correlated with an abnormal process on an endpoint. An unusual HTTP download can be linked to subsequent file modifications on Windows or Linux systems.
This is exactly how a real SOC operates: no tool works in isolation. Suricata provides the network signal, Wazuh correlates it with the rest of the environment, and the analyst gains a coherent, investigable view.
In this lab, Suricata is not just an IDS “making noise,” but a core component of a complete, realistic monitoring ecosystem—one that is ready to simulate real attack scenarios and SOC workflows.
suricata dashboards and visualizators
suricata dashboards and visualizators
suricata dashboards and visualizators