# Suricata IDS Suricata IDS is an open-source intrusion detection and prevention engine that inspects network traffic for malware, exploit attempts, lateral movement, and policy violations. Connecting Suricata IDS forwards EVE JSON intrusion alerts to Radiant Security through the Radiant Agent over syslog. Radiant uses these alerts to correlate network-layer threats with endpoint and identity telemetry during AI triage, giving analysts the full attack context behind every alert. ### Prerequisites * [ ] Administrator access to the Suricata IDS host * [ ] A deployed [Radiant Agent](/radiant-connectors/data-connectors/install-the-radiant-security-agent.md) reachable from the Suricata IDS host * [ ] Administrator role in Radiant Security ### Add the data connector in Radiant Security 1. Log in to [Radiant Security](https://app.radiantsecurity.ai/). 2. From the navigation menu, click **Settings** > **Data Connectors**, then click **+ Add Connector**. 3. Search for and select **Radiant Agent**, then click **Data Feeds**. 4. Under **Select your data feeds**, select **Suricata IDS**, then click **Credentials**. 5. Under **Credential Name**, enter an identifiable name for the Radiant Agent integration (e.g., `Radiant Agent integration`). To reuse an existing Radiant Agent credential, select it from the drop-down menu. 6. Click **Add Connector**. ### Configure Suricata IDS to forward syslog Before starting, confirm the IP address of the Radiant Agent and the port configured to receive Suricata IDS data. If you do not know the port, contact your Customer Success representative. The steps below configure Suricata to emit EVE logs to the local syslog daemon, then configure rsyslog to forward those messages to the Radiant Agent. For the underlying Suricata options, see the [Suricata EVE output documentation](https://docs.suricata.io/en/latest/output/index.html). {% hint style="info" %} The example uses the syslog facility `local0`. If `local0` is already in use on the host, replace it with an unused facility in both the Suricata and rsyslog configurations. {% endhint %} 1. Open the Suricata configuration file (typically `/etc/suricata/suricata.yaml`) and add the following block under the `outputs` section: ```yaml - eve-log: enabled: yes filetype: syslog facility: local0 hostname: localhost ``` 2. Open the rsyslog configuration file (typically `/etc/rsyslog.conf`) and add a forwarding rule for the chosen facility: ```yaml local0.* @: ``` 3\. Replace `` and `` with the IP address and port of the Radiant Agent host. 4\. Restart Suricata and rsyslog to apply the changes: ```bash sudo systemctl restart suricata sudo systemctl restart rsyslog ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://help.radiantsecurity.ai/radiant-connectors/data-connectors/suricata-ids.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.