[Oisf-users] eve.log including only alert messages

박경호 pgh5247 at naver.com
Mon Mar 20 03:48:41 UTC 2017

how should i set up the suricata.yaml for having the eve.log file that contains only alert messages?
(suricata version : 3.2.0)
i set up the suricata.yaml like below, but the eve.log file include the other messages that event-type is state,  http or tls, etc....
  # a line based alerts log similar to Snort's fast.log
  - fast:
      enabled: no
      filename: fast.log
      append: no
      filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'

  # Extensible Event Format (nicknamed EVE) event log in JSON format
  - eve-log:
      enabled: yes
      filetype: regular 
      filename: eve.json
      level: Alert 

        - alert:
            http: no                # enable dumping of http fields
            tls: no                 # enable dumping of tls fields
            ssh: no                 # enable dumping of ssh fields
            smtp: no                # enable dumping of smtp fields
            dnp3: no                # enable dumping of DNP3 fields

            tagged-packets: no
              enabled: no
              mode: extra-data
              deployment: reverse
              header: X-Forwarded-For
        - http:
            extended: no
        - dns:
            query: no
            answer: no
        - tls:
            extended: no
        - files:
            force-magic: no   # force logging magic on all logged files
        - smtp:
            #extended: yes # enable this for extended logging information
            # this includes: bcc, message-id, subject, x_mailer, user-agent
            # custom fields logging from the list:
            #  reply-to, bcc, message-id, subject, x-mailer, user-agent, received,
            #  x-originating-ip, in-reply-to, references, importance, priority,
            #  sensitivity, organization, content-md5, date
            #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc]
            # output md5 of fields: body, subject
            # for the body you need to set app-layer.protocols.smtp.mime.body-md5
            # to yes
            #md5: [body, subject]
        - ssh
        - stats:
            totals: yes       # stats for all threads merged together
            threads: no       # per thread stats
            deltas: no        # include delta values
        # bi-directional flows
        #- flow
        # uni-directional flows
        #- netflow
        #- dnp3
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170320/a7238c6d/attachment.html>

More information about the Oisf-users mailing list