[Oisf-users] eve.log and event types
Vieri
rentorbuy at yahoo.com
Wed Dec 28 09:09:05 UTC 2016
________________________________
> From: Jason Ish <lists at unx.ca>
>> outputs.1 = eve-log
>> outputs.1.eve-log = (null)
>> outputs.1.eve-log.types = (null)
>> outputs.1.eve-log.types.0 = alert
>> outputs.1.eve-log.types.0.alert = (null)
>> outputs.1.eve-log.types.0.alert.http = no
>> outputs.1.eve-log.types.0.alert.tls = no
>
> You will want to comment out, or remove the types you are not interested. To just get "drop" events
> you'll want your eve-log section to look something like:>
> outputs:
> - eve-log:
> enabled: yes
> filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
> filename: eve.json
> types:
> - drop:
> alerts: yes
> flows: all
Right, but suppose I have the default yaml file which also enables other types. Is it possible to disable these types via the --set command line argument?
That's why I tried to set outputs.1.eve-log.types.0.alert.{http,tls,etc...} = no. I also tried
outputs.1.eve-log.types.0 =
but Suricata still logs alerts in EVE.
Is editing the yaml file the only way to do this?
Thanks,
Vieri
More information about the Oisf-users
mailing list