<html><head><style>p{margin-top:0px;margin-bottom:0px;}</style></head><body><div style="font-size:10pt; font-family:Gulim;"><p>Thank you for your comments.</p><p> </p><p>i got the wanted result to comment the unnecessary parts in yaml.</p><p> </p><p> </p><p> </p><p style="padding: 0px 0px 0px 10pt; font-family: sans-serif; font-size: 10pt;"><span>-----Original Message-----</span><br><b>From:</b> "Eric Leblond"<eric@regit.org> <br><b>To:</b> "박경호"<pgh5247@naver.com>; <oisf-users@lists.openinfosecfoundation.org>; <br><b>Cc:</b> <br><b>Sent:</b> 2017-03-20 (월) 16:40:11<br><b>Subject:</b> Re: [Oisf-users] eve.log including only alert messages<br> </p>Hi,<br><br>On Mon, 2017-03-20 at 12:48 +0900, 박경호 wrote:<br>>  <br>> how should i set up the suricata.yaml for having the eve.log file<br>> that contains only alert messages?<br>> (suricata version : 3.2.0)<br>>  <br>> i set up the suricata.yaml like below, but the eve.log file include<br>> the other messages that event-type is state,  http or tls, etc....<br>>  <br>> outputs:<br>>   # a line based alerts log similar to Snort's fast.log<br>>   - fast:<br>>       enabled: no<br>>       filename: fast.log<br>>       append: no<br>>       filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'<br><br>Simply comment or remove unwanted output. For example:<br><br>>   # Extensible Event Format (nicknamed EVE) event log in JSON format<br>>   - eve-log:<br>>       enabled: yes<br>>       filetype: regular <br>>       filename: eve.json<br>>       level: Alert <br>> <br>>       types:<br>>         - alert:<br>>             http: no                # enable dumping of http fields<br>>             tls: no                 # enable dumping of tls fields<br>>             ssh: no                 # enable dumping of ssh fields<br>>             smtp: no                # enable dumping of smtp fields<br>>             dnp3: no                # enable dumping of DNP3 fields<br>> <br>>             tagged-packets: no<br>>             xff:<br>>               enabled: no<br>>               mode: extra-data<br>>               deployment: reverse<br>>               header: X-Forwarded-For<br><br>Would get you the wanted result.<br><br>BR,<br>-- <br>Eric Leblond <eric@regit.org><br><br></div></body></html>
<table style="display:none"><tr><td><img src="https://mail.naver.com/readReceipt/notify/?img=1%2FYdKokcpXg%2FFoF0hAnXKxbrpxtwMxgwpovmpo%2BCazUZpoElKo34FrurtzFXp6UZKSl5WLl51zlqDBFdp6d5MreRhoRT1BF47BkqpBiqtzwGbX3q74emp6lGW4pTbrkop4e9W43C%2Bz0TWSlTb4b%3D.gif" border="0"></td></tr></table>