<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><br><div dir="ltr"><br>On 8 May 2019, at 01:45, David Decker <<a href="mailto:x.faith@gmail.com">x.faith@gmail.com</a>> wrote:<br><br></div><blockquote type="cite"><div dir="ltr"><div dir="ltr">I think I am having sort of the same problem, side note I am using SecurityOnion. <div>but wanted to switch the output to JSON (eve.json) which is being created, but the alerts are not being populated. </div></div></div></blockquote><div><br></div><div>The should be present in the JSON log as “event_type”:”alert” is that the case ?</div><div><br></div><div>What is the output of “suricata —build-info”?</div><div><br></div><br><blockquote type="cite"><div dir="ltr"><div dir="ltr"><div><div>I believe that they are still being populated for the Barnyard files (per SO). I know I had them both working for a few minutes but currently not getting any thing. here is the part from my suricata.yaml</div><div><br></div><div><div># Extensible Event Format (nicknamed EVE) event log in JSON format</div><div> - eve-log:</div><div> enabled: yes</div><div> filetype: regular #regular|syslog|unix_dgram|unix_stream|redis</div><div> filename: suricata.json</div><div> #prefix: "@cee: " # prefix to prepend to each log entry</div><div> # the following are valid when type: syslog above</div><div> #identity: "suricata"</div><div> #facility: local5</div><div> #level: Info ## possible levels: Emergency, Alert, Critical,</div><div> ## Error, Warning, Notice, Info, Debug</div><div> #redis:</div><div> # server: 127.0.0.1</div><div> # port: 6379</div><div> # async: true ## if redis replies are read asynchronously</div><div> # mode: list ## possible values: list|lpush (default), rpush, channel|publish</div><div> # ## lpush and rpush are using a Redis list. "list" is an alias for lpush</div><div> # ## publish is using a Redis channel. "channel" is an alias for publish</div><div> # key: suricata ## key or channel to use (default to suricata)</div><div> # Redis pipelining set up. This will enable to only do a query every</div><div> # 'batch-size' events. This should lower the latency induced by network</div><div> # connection at the cost of some memory. There is no flushing implemented</div><div> # so this setting as to be reserved to high traffic suricata.</div><div> # pipelining:</div><div> # enabled: yes ## set enable to yes to enable query pipelining</div><div> # batch-size: 10 ## number of entry to keep in buffer</div><div><br></div><div> # Include top level metadata. Default yes.</div><div> metadata: yes</div><div><br></div><div> # include the name of the input pcap file in pcap file processing mode</div><div> pcap-file: false</div></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, May 7, 2019 at 4:10 PM Chris Ford <<a href="mailto:crford@gmail.com">crford@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><div>Make sure that you have libjannson installed and that you have alerts enabled under the eve-log output section.<br><br><a href="https://suricata.readthedocs.io/en/suricata-4.1.3/output/eve/eve-json-output.html" target="_blank">https://suricata.readthedocs.io/en/suricata-4.1.3/output/eve/eve-json-output.html</a><br clear="all"></div><div dir="ltr"><div><div dir="ltr" class="gmail-m_-5236342259996797152gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div>--<br>
Chris Ford - <a href="mailto:crford@gmail.com" target="_blank">crford@gmail.com</a><br>
GPG Key - <a href="https://keybase.io/crford" target="_blank">https://keybase.io/crford</a></div></div></div></div></div></div></div></div></div></div><br></div><span style="font-size:10pt;font-family:Arial,sans-serif;color:black"></span><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"> <br></span><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div lang="EN-US"><div class="gmail-m_-5236342259996797152gmail-m_8695289884447464287WordSection1"><p class="MsoNormal"><b><span style="font-size:10pt;font-family:Tahoma,sans-serif">From:</span></b><span style="font-size:10pt;font-family:Tahoma,sans-serif"> Oisf-users [mailto:<a href="mailto:oisf-users-bounces@lists.openinfosecfoundation.org" target="_blank">oisf-users-bounces@lists.openinfosecfoundation.org</a>] <b>On Behalf Of </b>Nafisa Mandliwala<br><b>Sent:</b> Tuesday, May 7, 2019 5:10 PM<br><b>To:</b> <a href="mailto:oisf-users@lists.openinfosecfoundation.org" target="_blank">oisf-users@lists.openinfosecfoundation.org</a><br><b>Subject:</b> [Oisf-users] Suricata EVE logging</span></p><p class="MsoNormal"><u></u> <u></u></p><div><div><p class="MsoNormal">Hi all,<u></u><u></u></p><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">I have a question about suricata eve log. I tried enabling eve logging (eve.json) by editing the suricata.yaml file-<u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><div><p class="MsoNormal"> <span style="color:rgb(102,102,102)"> # Extensible Event Format (nicknamed EVE) event log in JSON format</span><u></u><u></u></p></div><div><p class="MsoNormal"><span style="color:rgb(102,102,102)"> - eve-log:</span><u></u><u></u></p></div><div><p class="MsoNormal"><span style="color:rgb(102,102,102)"> enabled: yes</span><u></u><u></u></p></div><div><p class="MsoNormal"><span style="color:rgb(102,102,102)"> filetype: regular #regular|syslog|unix_dgram|unix_stream|redis</span><u></u><u></u></p></div><div><p class="MsoNormal"><span style="color:rgb(102,102,102)"> filename: eve.json</span><u></u><u></u></p></div></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">I'm not sure if I'm missing any steps but this does not generate the eve log file under /var/log/suricata/. I tried playing around with syslog/fast/http log and they all seem to work but not eve.<u></u><u></u></p></div><div><p class="MsoNormal">Is enabling the setting in suricata.yaml the only change that needs to be made?<u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">Thanks,<u></u><u></u></p></div><div><p class="MsoNormal">Nafisa<u></u><u></u></p></div></div></div></div></div></blockquote></div></div></div>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/training/</a></blockquote></div>
</div></blockquote><blockquote type="cite"><div dir="ltr"><span>_______________________________________________</span><br><span>Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a></span><br><span>Site: <a href="http://suricata-ids.org">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/">http://suricata-ids.org/support/</a></span><br><span>List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a></span><br><span></span><br><span>Conference: <a href="https://suricon.net">https://suricon.net</a></span><br><span>Trainings: <a href="https://suricata-ids.org/training/">https://suricata-ids.org/training/</a></span></div></blockquote></body></html>