
<html><head><style>p{margin-top:0px;margin-bottom:0px;}</style></head><body><div style="font-size:10pt; font-family:Gulim;"><p> </p><p>how should i set up the suricata.yaml for having the eve.log file that contains only alert messages?</p><p>(suricata version : 3.2.0)</p><p> </p><p>i set up the suricata.yaml like below, but the eve.log file include the other messages that event-type is state,  http or tls, etc....</p><p> </p><pre style="color: rgb(0, 0, 0); text-transform: none; text-indent: 0px; letter-spacing: normal; font-style: normal; font-weight: normal; word-spacing: 0px; white-space: pre-wrap; -ms-word-wrap: break-word; orphans: 2; widows: 2; -webkit-text-stroke-width: 0px; font-variant-ligatures: normal; font-variant-caps: normal;">outputs:

  # a line based alerts log similar to Snort's fast.log

  - fast:

      enabled: no

      filename: fast.log

      append: no

      filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'


  # Extensible Event Format (nicknamed EVE) event log in JSON format

  - eve-log:

      enabled: yes

      filetype: regular 

      filename: eve.json

      level: Alert 


      types:

        - alert:

            http: no                # enable dumping of http fields

            tls: no                 # enable dumping of tls fields

            ssh: no                 # enable dumping of ssh fields

            smtp: no                # enable dumping of smtp fields

            dnp3: no                # enable dumping of DNP3 fields


            tagged-packets: no

            xff:

              enabled: no

              mode: extra-data

              deployment: reverse

              header: X-Forwarded-For

        - http:

            extended: no

        - dns:

            query: no

            answer: no

        - tls:

            extended: no

        - files:

            force-magic: no   # force logging magic on all logged files

        - smtp:

            #extended: yes # enable this for extended logging information

            # this includes: bcc, message-id, subject, x_mailer, user-agent

            # custom fields logging from the list:

            #  reply-to, bcc, message-id, subject, x-mailer, user-agent, received,

            #  x-originating-ip, in-reply-to, references, importance, priority,

            #  sensitivity, organization, content-md5, date

            #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc]

            # output md5 of fields: body, subject

            # for the body you need to set app-layer.protocols.smtp.mime.body-md5

            # to yes

            #md5: [body, subject]

        - ssh

        - stats:

            totals: yes       # stats for all threads merged together

            threads: no       # per thread stats

            deltas: no        # include delta values

        # bi-directional flows

        #- flow

        # uni-directional flows

        #- netflow

        #- dnp3

</pre><p><br class="Apple-interchange-newline"> </p></div></body></html>

<table style="display:none"><tr><td><img src="https://mail.naver.com/readReceipt/notify/?img=1QYdKokcpXI4pxMqhAnXK4FvM6KqKo2qMx%2B4MoC0FAt%2FFrKlK4U9KzJgMX%2B0MouX74lR74lcWNFlbX30WLloWrdQareGbrMR%2BBF0bNFgWz0q%2BHK5WXI0W405p4eqp6F4WXk5pzJd16e574eZpm%3D%3D.gif" border="0"></td></tr></table>