services.suricata.settings.outputs

Configure the type of alert (and other) logging you would like.

Valid values for are e. g. fast, eve-log, syslog, file-store, ...

• fast: a line based alerts log similar to Snort's fast.log
• eve-log: Extensible Event Format (nicknamed EVE) event log in JSON format

For more details regarding the configuration, checkout the shipped suricata.yaml

nix-shell -p suricata yq coreutils-full --command 'yq < $(dirname $(which suricata))/../etc/suricata/suricata.yaml'

and the suricata documentation.

Type

null or (list of attribute set of (open submodule of (YAML 1.1 value)))

Default

null

Example

[
  {
    fast = {
      enabled = "yes";
      filename = "fast.log";
      append = "yes";
    };
  }
  {
    eve-log = {
      enabled = "yes";
      filetype = "regular";
      filename = "eve.json";
      community-id = true;
      types = [
        {
          alert.tagged-packets = "yes";
        }
      ];
    };
  }
];

Declared

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>