https://www.github.com/prizmatik666/suri_dash_cli
a Prizmatik Underground production
SDASH SCREEN SHOT
SLOG SCREEN SHOTS
A small pair of Python utilities for working with Suricata logs in a home-lab, learning, or defensive monitoring environment.
This repo contains:
sdash.py— a live terminal dashboard foreve.jsonslog.py— an interactive Suricata log viewer / prettifier / exporter
Both tools are designed for readable terminal workflows, SSH/tmux usage, and small-lab network analysis.
Current release target:
v3.2 and v0.1.0
sdash.py // slog.py
These utilities are lab-ready, but not intended to replace a full SIEM, SOC platform, or enterprise Suricata deployment stack.
They are best used for:
- home-lab monitoring
- learning Suricata event structure
- reviewing
eve.json - watching alerts/flows in a terminal
- exporting cleaned log summaries
- correlating local scans, SMB tests, DNS, TLS, HTTP, and Suricata alerts
- Linux
- Python 3.9+
- Suricata installed and writing logs
- Terminal with ANSI color support
- Recommended:
jq,tmux
Both tools currently use Python standard-library modules only.
No external Python packages are required for normal use.
For testing:
sudo apt install python3-pytestor:
python3 -m pip install pytestBy default, both tools expect Suricata logs in:
/var/log/suricata/The most important file is:
/var/log/suricata/eve.jsonCommon Suricata logs:
eve.json Structured JSON event log
fast.log Human-readable alerts
stats.log Suricata stats output
suricata.log Engine/runtime messages
Check your log directory:
sudo ls -lh /var/log/suricata/Check where Suricata is configured to write logs:
grep -n "default-log-dir" /etc/suricata/suricata.yamlCheck whether Suricata is running:
systemctl status suricataor:
ps aux | grep suricatasdash.py is a live terminal dashboard for Suricata eve.json.
It follows the log, parses events, and displays compact live sections for:
- event counts
- top alerts
- top destination ports
- top talkers
- protocols
- SMB flows
- scan/probe detections
- recent events
It is branded as:
SURICATA LIVE DASHBOARD - PRIZM BUILD
sdash.py reads Suricata EVE JSON events such as:
alert
flow
dns
http
tls
stats
smb
It uses both Suricata-native alerts and local dashboard heuristics.
The dashboard can identify:
- Suricata alert signatures
- Nmap / scan-related alert signatures
- flow-heavy port scans
- light watched-port probes
- SMB 139/445 probes
- SMB flows
- DNS queries
- HTTP/TLS activity
The dashboard has its own scan/probe tracker.
Default behavior:
SCAN_WINDOW = 30 seconds
SCAN_THRESHOLD = 5 unique destination ports
LIGHT_SCAN_THRESHOLD = 2 unique watched ports
Meaning:
- a wide scan usually appears quickly
- a tiny two-port scan may only show if both ports are seen within the tracking window
- full network-wide detection is only possible for traffic the Suricata sensor can actually see
Important network visibility note:
A Suricata sensor on one host usually sees:
traffic to/from itself
broadcast traffic
multicast traffic
some local discovery traffic
It usually does not see all device-to-device unicast traffic on a switched LAN or Wi-Fi network unless you use:
- router/gateway placement
- SPAN/mirror port
- network tap
- host-based Suricata on each endpoint
- controlled lab MITM setup
So if Suricata runs on 192.168.2.5, scanning 192.168.2.5 from another machine should be visible, but scanning two other LAN hosts may not be.
Basic run:
sudo python3 sdash.pyMake executable:
chmod +x sdash.py
sudo ./sdash.pyRun against a specific EVE log:
sudo python3 sdash.py --log /var/log/suricata/eve.jsonLower scan threshold for a small home lab:
sudo python3 sdash.py --scan-threshold 2 --window 60Show full IPv6 addresses:
sudo python3 sdash.py --full-ipStart from the beginning of the log instead of only following new events:
sudo python3 sdash.py --no-follow-endInside the dashboard:
q quit
p pause/resume
--log PATH
Path to Suricata eve.json.
Default: /var/log/suricata/eve.json
--scan-threshold N
Number of unique destination ports required before a possible scan is shown.
Default: 5
--light-threshold N
Number of watched ports required for light probe detection.
Default: 2
--window SECONDS
Time window for scan/probe tracking.
Default: 30
--max-events N
Number of recent events kept in memory.
Default: 40
--full-ip
Show full IP addresses instead of shortening IPv6 addresses.
--no-follow-end
Start reading from the beginning of the log instead of tailing only new events.
Suricata logs are often root-readable only.
If you see:
Permission denied
Log file is not readable
Run:
sudo python3 sdash.pyIf the dashboard says:
TERMINAL TOO SMALL - resize pane
Fix:
- enlarge the terminal
- enlarge the tmux pane
- reduce font size
- use fullscreen terminal mode
A tiny scan such as:
nmap -Pn -p 139,445 TARGETmay not always show depending on:
- Suricata visibility
- whether flow events are generated
- whether both ports appear inside the scan window
- whether the traffic reaches the sensor
- whether the correct interface is monitored
Try:
nmap -Pn -p 1-300 TARGETor:
sudo python3 sdash.py --scan-threshold 2 --window 60A VERY common issue:
Suricata may be monitoring the wrong NIC.
Check active interface:
grep "interface:" /etc/suricata/suricata.yamlVerify traffic:
sudo tcpdump -i wlan1If tcpdump sees traffic but sdash remains empty:
- Suricata may not be attached to the correct interface
- EVE logging may be disabled
- eve.json may not be enabled in suricata.yaml
If eve.json never updates:
Check:
grep -n "eve-log" /etc/suricata/suricata.yamlMake sure:
- eve-log:
enabled: yesexists.
Restart Suricata after changes:
sudo systemctl restart suricataPossible causes:
- no rules loaded
- ET/Open not installed
- Suricata running without rule sources
- HOME_NET misconfigured
- interface mismatch
- scans too light
Check rules:
sudo suricata-update list-sources
sudo suricata-updateThen restart:
sudo systemctl restart suricataPossible causes:
- thresholds too high
- scans too small
- flow events missing
- Suricata only seeing partial traffic
Try:
sudo python3 sdash.py --scan-threshold 2slog.py is a Suricata log viewer, browser, prettifier, and exporter.
It can:
- list logs from
/var/log/suricata - open
.log,.json, and.gzfiles - pretty-format
eve.json - browse cleaned output page-by-page
- filter by
event_type - export cleaned log output to
~/logs - run interactively or in export-only mode
It is branded as:
suri-log-viewer - PRIZM BUILD
Use slog.py when you want to inspect logs after the fact.
Good use cases:
- review
eve.json - export readable alert summaries
- inspect DNS/HTTP/TLS/flow activity
- clean noisy JSON into readable text
- prepare notes for reports or portfolio writeups
- browse compressed rotated logs
Basic interactive run:
sudo python3 slog.pyMake executable:
chmod +x slog.py
sudo ./slog.pyOpen a specific log:
sudo python3 slog.py --file eve.jsonOpen compressed logs:
sudo python3 slog.py --file eve.json.1.gzExport alert-only events:
sudo python3 slog.py \
--file eve.json \
--event-type alert \
--export-only \
--output alerts.txtDisable color:
sudo python3 slog.py --no-colorInside the viewer:
n / Enter next page
p previous page
g top
G bottom
q quit viewer
--log-dir PATH
Directory containing Suricata logs.
Default: /var/log/suricata
--save-dir PATH
Default export directory.
Default: ~/logs
--file FILE
Specific log file to open.
--limit N
Number of events/lines to load.
Use 0 for whole file.
Default: 500
--tail
Read the last --limit lines instead of the first.
--no-color
Disable ANSI colors.
--export-only
Export prettified output without opening the interactive viewer.
--output FILE
Output filename/path for export-only mode.
--page-lines N
Lines shown per page in the viewer.
Default: 28
--event-type TYPE
Filter eve.json by event type.
Example:
alert
dns
http
tls
flow
--version
Show version and exit.
If you cannot read logs:
Permission denied
Run:
sudo python3 slog.pySome Suricata installs generate HUGE logs.
Using:
--limit 0on a massive eve.json may consume large amounts of RAM and become slow.
Safer options:
--limit 500
--limit 2000
--tailIf Suricata crashes or rotates logs mid-write, some lines may not parse cleanly.
The viewer attempts to continue safely and will display raw lines when parsing fails.
Compressed logs such as:
eve.json.1.gz
are supported automatically.
Not all Suricata installs/log formats include SMB event metadata.
If SMB sections appear sparse:
- SMB logging may not be enabled
- Suricata version may differ
- SMB parser/app-layer support may differ
Possible causes:
- Suricata not running
- wrong log directory
- EVE logging disabled
- no traffic
- wrong monitored interface
Check:
systemctl status suricataand:
ls -lh /var/log/suricata/Install pytest:
sudo apt install python3-pytestRun all tests:
pytest -vRun only sdash tests:
pytest -v tests/test_sdash.pyRun only slog tests:
pytest -v tests/test_slog.pyExpected output:
18 passed
or similar.
These tools work especially well in:
- tmux
- Warp terminal
- SSH sessions
- Kali Linux
- Suricata home labs
- small monitoring VMs
- Raspberry Pi sensors
- local Wi-Fi analysis setups
Possible future upgrades:
- dashboard snapshots
- live alert sound hooks
- ncurses window resizing
- device-name labeling
- protocol heatmaps
- alert search
- grep-style filtering
- offline replay mode
- multi-log correlation
- pcap correlation
- Zeek integration
- JSON export modes
- dark/light terminal themes
- alert severity sorting
- keyboard toggles inside sdash
- Suricata rule hit statistics