<html>

  <head>

    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

  </head>

  <body>

    <p>Hi Konstantin,</p>

    <p>thanks for your answer.<br>

    </p>

    <p>I am running Suricata 4.1.2 installed from the Debian Repo.<br>

    </p>

    <p>I think this is the relevant part of my suricata,yaml:</p>

    <p>  - eve-log:<br>

            enabled: yes<br>

            filetype: regular <br>

            filename: eve.json<br>

      <br>

            types:<br>

              - alert:<br>

                  payload: yes             <br>

                  payload-buffer-size: 4kb <br>

                  payload-printable: yes   <br>

                  packet: no              <br>

                  http-body: yes           <br>

                  http-body-printable: yes <br>

                  metadata: yes           <br>

                  tagged-packets: yes<br>

              - http:<br>

                  extended: yes     <br>

      <b>            metadata: yes             </b><b><br>

      </b><b>            http-body: yes           </b><b><br>

      </b><b>            http-body-printable: yes</b></p>

    <p><br>

    </p>

    <p>I tried it after adding your provided config snippet, but there

      is no payload included in the http events. This config seems to

      work only in the "alert" section.</p>

    <p>I tried also with this config version of "http", even if

      http_reques_body and http_response_body are not listed for the

      "custom" config ->

<a class="moz-txt-link-freetext" href="https://suricata.readthedocs.io/en/suricata-5.0.0/output/eve/eve-json-output.html#http">https://suricata.readthedocs.io/en/suricata-5.0.0/output/eve/eve-json-output.html#http</a><br>

    </p>

    <p>        - http:<br>

                  extended: yes     # enable this for extended logging

      information<br>

                  # custom allows additional http fields to be included

      in eve-log<br>

                  # the example below adds three additional fields when

      uncommented<br>

                  custom: [http_request_body, http_response_body]<br>

                  payload: yes<br>

                  payload-buffer-size: 4kb<br>

                  payload-printable: yes<br>

                  metadata: yes<br>

                  http-body: yes<br>

                  http-body-printable: yes</p>

    <p><br>

    </p>

    <p>Regards <br>

    </p>

    <p>Felix<br>

    </p>

    <div class="moz-cite-prefix">On 05.01.20 09:57, Konstantin Klinger

      wrote:<br>

    </div>

    <blockquote type="cite"

      cite="mid:456714613.97097.1578214662043@ox79.mailbox.org">

      <pre class="moz-quote-pre" wrap="">Hi Felix,

which Suricata version are you running? And can you please share your suricata.yaml configuration? As far as I can see the fields http_request_body and http_response_body are supported since Suricata 4.0 in the eve json output, but you have to enable it in the configuration:

            metadata: yes             # enable inclusion of app layer metadata with alert. Default yes

            http-body: yes           # Requires metadata; enable dumping of http body in Base64

            http-body-printable: yes # Requires metadata; enable dumping of http body in printable format

For further questions on the eve json format maybe this link will help you: <a class="moz-txt-link-freetext" href="https://github.com/satta/suricata-json-schema">https://github.com/satta/suricata-json-schema</a>

We would also be very happy for any contribution to that repo to improve the documentation of the eve json output fields.

Cheers,

Konstantin

</pre>

      <blockquote type="cite">

        <pre class="moz-quote-pre" wrap="">On January 5, 2020 at 4:20 AM Felix Müller <a class="moz-txt-link-rfc2396E" href="mailto:ffomueller@gmail.com"><ffomueller@gmail.com></a> wrote:

Hi,

is it possible to add the payload of the type "http" to eve.log even 

when the  event has not triggered an alert?

I searched in the configuration and the documentation and it seems that 

is only possible to get http payloads to a separate file with the option 

"http-body-data".

Regards

Felix

_______________________________________________

Suricata IDS Users mailing list: <a class="moz-txt-link-abbreviated" href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a>

Site: <a class="moz-txt-link-freetext" href="http://suricata-ids.org">http://suricata-ids.org</a> | Support: <a class="moz-txt-link-freetext" href="http://suricata-ids.org/support/">http://suricata-ids.org/support/</a>

List: <a class="moz-txt-link-freetext" href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a>

Conference: <a class="moz-txt-link-freetext" href="https://suricon.net">https://suricon.net</a>

Trainings: <a class="moz-txt-link-freetext" href="https://suricata-ids.org/training/">https://suricata-ids.org/training/</a>

</pre>

      </blockquote>

    </blockquote>

  </body>

</html>