[Oisf-users] eve.log and event types

Jason Ish lists at unx.ca
Tue Dec 27 15:44:38 UTC 2016 

On Tue, Dec 27, 2016 at 7:38 AM, Vieri <rentorbuy at yahoo.com> wrote:
> outputs.1 = eve-log
> outputs.1.eve-log = (null)
> outputs.1.eve-log.types = (null)
> outputs.1.eve-log.types.0 = alert
> outputs.1.eve-log.types.0.alert = (null)
> outputs.1.eve-log.types.0.alert.http = no
> outputs.1.eve-log.types.0.alert.tls = no
> outputs.1.eve-log.types.0.alert.ssh = no
> outputs.1.eve-log.types.0.alert.smtp = no
> outputs.1.eve-log.types.0.alert.dnp3 = no
> outputs.1.eve-log.types.0.alert.tagged-packets = no
> outputs.1.eve-log.types.0.alert.xff = (null)
> outputs.1.eve-log.types.0.alert.xff.enabled = no
> outputs.1.eve-log.types.0.alert.xff.mode = extra-data
> outputs.1.eve-log.types.0.alert.xff.deployment = reverse
> outputs.1.eve-log.types.0.alert.xff.header = X-Forwarded-For
> outputs.1.eve-log.types.1 = http
> outputs.1.eve-log.types.1.http = (null)
> outputs.1.eve-log.types.1.http.extended = no
> outputs.1.eve-log.types.2 = dns
> outputs.1.eve-log.types.2.dns = (null)
> outputs.1.eve-log.types.2.dns.query = no
> outputs.1.eve-log.types.2.dns.answer = no
> outputs.1.eve-log.types.3 = tls
> outputs.1.eve-log.types.3.tls = (null)
> outputs.1.eve-log.types.3.tls.extended = no
> outputs.1.eve-log.types.4 = files
> outputs.1.eve-log.types.4.files = (null)
> outputs.1.eve-log.types.4.files.force-magic = no
> outputs.1.eve-log.types.5 = drop
> outputs.1.eve-log.types.5.drop = (null)
> outputs.1.eve-log.types.5.drop.alerts = yes
> outputs.1.eve-log.types.6 = smtp
> outputs.1.eve-log.types.6.smtp =
> outputs.1.eve-log.types.7 = ssh
> outputs.1.eve-log.types.8 = stats
> outputs.1.eve-log.types.8.stats = (null)
> outputs.1.eve-log.types.8.stats.totals = yes
> outputs.1.eve-log.types.8.stats.threads = no
> outputs.1.eve-log.types.8.stats.deltas = no
> outputs.1.eve-log.types.9 = flow
> outputs.1.eve-log.enabled = yes
> outputs.1.eve-log.filetype = regular
> outputs.1.eve-log.filename = eve.json

You will want to comment out, or remove the types you are not interested.
To just get "drop" events you'll want your eve-log section to look
something like:

outputs:
  # Extensible Event Format (nicknamed EVE) event log in JSON format
  - eve-log:
      enabled: yes
      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
      filename: eve.json
      types:
        - drop:
           alerts: yes      # log alerts that caused drops
           flows: all        # start or all: 'start' logs only a single drop
                                 # per flow direction. All logs each
dropped pkt.

Jason
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20161227/93e69874/attachment-0002.html>

More information about the Oisf-users mailing list