[Oisf-users] files-json logging versus http logging

Peter Manev petermanev at gmail.com
Fri Apr 4 13:07:58 UTC 2014

On Fri, Apr 4, 2014 at 3:02 PM, Peter Manev <petermanev at gmail.com> wrote:
> On Fri, Apr 4, 2014 at 2:49 PM, Adnan Baykal <abaykal at gmail.com> wrote:
>> if I turn on files-json logging, would that also include all the http
>> connections that would be included on the http logging? if not, what would
>> be excluded? I see the value in both but if I can extract the HTTP logs out
>> of files-json, I would rather do that than turning both logging options.
> You do not need both turned on at the same time.
> You can just do in your eve.json logging section in suricata.yaml:
>       types:
>         #- alert
>         - http:
>             extended: yes
> and comment out the others, aka make sure only http is uncommented.
> thanks

correction !
I misread your question, apologize

If you are using Suricata 2.0 you can turn on file logging from
eve.json and/or use files-json.

that would include the http connections as well , but just for that
particular file - not all http logging.
You can then enable the json http logging as well (the eve.json
section) if you wish.


Peter Manev

More information about the Oisf-users mailing list