# Suricata IDS (syslog) In this guide, you will set up the Suricata IDS connector within Radiant in order to forward logs to Radiant. ### Prerequisites * [ ] Admin access to Suricata IDS. ### Add the data connector in Radiant Security 1. Log in to [Radiant Security](https://app.radiantsecurity.ai/). 2. From the navigation menu, click **Settings** > **Data Connectors** and click **+ Add Connector**. 3. Search for and select the **Radiant Agent** option and then click **Data** **Feeds.** 4. Under **Select your data feeds**, select **Suricata IDS** and click **Credentials**. 5. Under **Credential** **Name**, give your Radiant Agent integration an identifiable name (e.g. `Radiant Agent Integration`). 6. Click **Add** **Connector**. ### Configure a local Radiant Security Agent Refer to the [Install the Radiant Security Agent](https://help.radiantsecurity.ai/radiant-connectors/data-connectors/install-the-radiant-security-agent) guide to set up a local agent to collect the logs. ### Configure Suricata IDS to forward logs to the Radiant Security Log Collector The following is a suggested guide on how to configure Suricata and rsyslog to send logs to the Radiant Agent, feel free to use the syslog forwarding tool of your preference.\ Refer to the [official Suricata Documentation](https://docs.suricata.io/en/latest/output/index.html) for more details. {% hint style="info" %} In this configuration example we use the syslog facility `local0`, If you are already using it for another application, please replace it with an unused facility. {% endhint %} 1. Navigate to your Suricata **configuration file** (usually located at `/etc/suricata/suricata.yaml`) and add the following lines under the **Outputs** section: ``` - eve-log: enabled: yes filetype: syslog facility: local0 hostname: localhost ``` 3. Navigate the **Syslog configuration file** (e.g. /etc/rsyslog.conf) and add a line similar to the following: ``` local0.* @: ``` 4. Replace `` and `` with the actual private IP address and Port of the VM where Radiant Agent was installed. 5. Restart both Suricata IDS and Syslog services to apply the changes. ``` sudo systemctl restart suricata sudo systemctl restart rsyslog ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://help.radiantsecurity.ai/radiant-connectors/data-connectors/suricata-ids-syslog.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.