Skip to content

Integrate Suricata with Coralogix using OpenTelemetry

This guide explains how to integrate Suricata with Coralogix using the OpenTelemetry Collector. It leverages the flexibility and vendor-agnostic design of OpenTelemetry for observability pipelines.

Prerequisites

Before you begin, make sure you have the following:

  • Suricata installed and configured
  • OpenTelemetry Collector installed

Install Suricata

Debian/Ubuntu

sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt update
sudo apt install suricata -y

CentOS/RHEL

sudo yum install epel-release -y
sudo yum install suricata -y

Configure Suricata

Ensure Suricata writes logs in EVE JSON format, typically to:

/var/log/suricata/eve.json

The configuration file is located at:

/etc/suricata/suricata.yaml

Update the outputs section in suricata.yaml:

outputs:
  - fast:
      enabled: yes
      filename: /var/log/suricata/eve.json
      append: yes
      filetype: json
      types:
        - alert
        - dns
        - flow
        - stats

Install OpenTelemetry

See the GitHub documentation for installation details: https://github.com/coralogix/snowbit-integrations/tree/master/SIEM%20%26%20SaaS/OS%20Logs/Linux

OpenTelemetry Collector configuration

Save the following configuration as /etc/otelcol-contrib/config.yaml:

receivers:
  filelog:
    start_at: beginning
    include:
      - /var/log/suricata/eve.json
    operators:
      - type: json_parser
        id: suricata_json_parser
        parse_from: body
      - type: filter
        id: suricata_alert_filter
        expr: 'body.event_type == "alert"'

exporters:
  coralogix:
    domain: "coralogix.com"
    private_key: "<your-send-data-key>"
    application_name: "suricata"
    subsystem_name: "suricata"
    timeout: 30s

service:
  pipelines:
    logs:
      receivers: [ filelog ]
      exporters: [ coralogix ]

Note: Replace <your-send-data-key> with your actual Coralogix private key.

Run the OpenTelemetry Collector

To start the OpenTelemetry Collector with your configuration:

otelcol-contrib --config otel-collector-config.yaml

To restart the service if needed:

sudo systemctl restart otelcol-contrib

Default configuration path: /etc/otelcol-contrib/config.yaml

Run Suricata in PCAP mode

sudo suricata -i eth1 -c /etc/suricata/suricata.yaml -v

Configure AWS traffic mirroring

Create a traffic mirror target

Define where mirrored traffic will be sent (the ENI of the Suricata instance).

  1. Go to VPC > Traffic Mirroring > Mirror Targets
  2. Click Create traffic mirror target
  3. Select the network interface of your Suricata EC2 instance
  4. Provide a name and description

Create a traffic mirror filter

Specify the type of traffic to mirror (for example, TCP, UDP, or all).

  1. Go to Mirror Filters and click Create filter
  2. Add inbound and outbound rules:

  3. Protocol: All or specify (TCP, UDP, etc.)

  4. Port range: Optional
  5. CIDR blocks: 0.0.0.0/0 to capture all, or restrict

Create a traffic mirror session

Link the source instances to the Suricata target using the filter.

  1. Go to Mirror Sessions and click Create session
  2. Configure the following:

  3. Source: The ENI of the monitored EC2 instance

  4. Target: The mirror target created earlier
  5. Filter: The mirror filter created earlier
  6. Session Number: Priority if multiple sessions exist
  7. Packet Length: Maximum bytes per packet (default: 100)

Verify Suricata is receiving traffic

Once the session is active:

  • SSH into the Suricata instance
  • Check interface activity:
sudo tcpdump -i eth1
  • Verify the correct network interface:
ip addr
  • Check Suricata logs under /var/log/suricata/ to confirm traffic detection

Completion

If all steps are followed, you should now be receiving Suricata logs in Coralogix.

Best practices

  • Security groups: Allow inbound traffic on Suricata’s listening interface (note: SGs may not apply to mirrored traffic)
  • Performance: Use Nitro-based instance types (c5, m5) for high throughput
  • Storage: Ensure adequate EBS storage for logs and packet data
  • Monitoring: Configure CloudWatch or an external logging system for long-term monitoring and alerting

Limitations

  • Mirrored traffic is read-only—Suricata cannot respond or modify packets
  • Cross-region mirroring is not supported
  • Traffic mirroring works only with Nitro-based instances for both source and target