[Oisf-users] extended logging of alerts?
Ted Timmons
ted at perljam.net
Wed Feb 3 19:22:21 UTC 2016
On Wed, Feb 3, 2016 at 7:57 AM Victor Julien <lists at inliniac.net> wrote:
> On 03-02-16 02:05, Ted Timmons wrote:
>> I'm logging alerts to eve-log. I'd like to get extended information
>> (such as tls.fingerprint or dns.rrname) in an alert entry. It seems they
>> don't show up unless I log all DNS or TLS traffic.
>Can you share the eve-log section of your yaml?
Sure Victor- here it is.
outputs:
- eve-log:
enabled: yes
type: syslog #file|syslog|unix_dgram|unix_stream
identity: "suricata"
facility: local5
level: Warning ## possible levels: Emergency, Alert, Critical,
## Error, Warning, Notice, Info, Debug
types:
- alert:
tls: yes
dns:
extended: yes # added recently as an experiment
- drop
- ssh
# further down in the outputs section:
- syslog:
enabled: yes # must be enabled for eve-log to work.
facility: local5
# here's part of my app-layer config:
app-layer:
protocols:
tls:
enabled: yes
detection-ports:
dp: 443
#no-reassemble: yes
fileinfo:
enabled: yes
dns:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160203/1fd51e46/attachment-0002.html>
More information about the Oisf-users
mailing list