[Oisf-users] eve.log and event types

[Jason Ish]

On Wed, Dec 28, 2016 at 3:09 AM, Vieri <rentorbuy at yahoo.com> wrote:

> ________________________________
> > From: Jason Ish <lists at unx.ca>
> >> outputs.1 = eve-log
> >> outputs.1.eve-log = (null)
> >> outputs.1.eve-log.types = (null)
> >> outputs.1.eve-log.types.0 = alert
> >> outputs.1.eve-log.types.0.alert = (null)
> >> outputs.1.eve-log.types.0.alert.http = no
> >> outputs.1.eve-log.types.0.alert.tls = no
> >
>
> > You will want to comment out, or remove the types you are not
> interested. To just get "drop" events
>
> > you'll want your eve-log section to look something like:>
> > outputs:
> >  - eve-log:
> >      enabled: yes
> >      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
> >      filename: eve.json
> >      types:
> >        - drop:
> >           alerts: yes
>
> >           flows: all
>
> Right, but suppose I have the default yaml file which also enables other
> types. Is it possible to disable these types via the --set command line
> argument?
> That's why I tried to set outputs.1.eve-log.types.0.alert.{http,tls,etc...}
> = no. I also tried
>
> outputs.1.eve-log.types.0 =
>
> but Suricata still logs alerts in EVE.
>
> Is editing the yaml file the only way to do this?
>

Yes, you're going to have to edit the yaml. The set doesn't play nicely
with lists, it might be possible if these had "enabled" flags, but they
don't. Their existence in the list enables them.

Another option is to create a new YAML that includes the default, then
re-define the outputs section.

%YAML 1.1
---

include: /etc/suricata/suricata.yaml

# Redefine outputs.
outputs:
   - eve-log:
   ...

# EOF

You'll have to completely redefine the outputs section to how you will want
it, as this will replace the outputs in the included file, not merge them.

Jason
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20161228/0a28a797/attachment-0002.html>