Options
Suricata IDS
If you all haven't tried Suricata with JSON output to Splunk or EVE, you really should check it out. The 2.x branch can capture a ton of info above and beyond just alerts. HTTP, DNS, TLS, SSH, FILES, and even flow data with 2.1beta. Since the output is all in JSON, it is super easy to parse and pull into Splunk or EVE.
This is a basic guide to install suricata with the prereqs for JSON, along with PF_RING and the ability to drop privs.
https://github.com/wesallen/IDS/blob/master/Suricata%20CentOS%207%20Install
This is a basic guide to install suricata with the prereqs for JSON, along with PF_RING and the ability to drop privs.
https://github.com/wesallen/IDS/blob/master/Suricata%20CentOS%207%20Install