[Oisf-users] eve.log including only alert messages

Eric Leblond eric at regit.org
Mon Mar 20 07:40:11 UTC 2017


Hi,

On Mon, 2017-03-20 at 12:48 +0900, 박경호 wrote:
>  
> how should i set up the suricata.yaml for having the eve.log file
> that contains only alert messages?
> (suricata version : 3.2.0)
>  
> i set up the suricata.yaml like below, but the eve.log file include
> the other messages that event-type is state,  http or tls, etc....
>  
> outputs:
>   # a line based alerts log similar to Snort's fast.log
>   - fast:
>       enabled: no
>       filename: fast.log
>       append: no
>       filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'

Simply comment or remove unwanted output. For example:

>   # Extensible Event Format (nicknamed EVE) event log in JSON format
>   - eve-log:
>       enabled: yes
>       filetype: regular 
>       filename: eve.json
>       level: Alert 
> 
>       types:
>         - alert:
>             http: no                # enable dumping of http fields
>             tls: no                 # enable dumping of tls fields
>             ssh: no                 # enable dumping of ssh fields
>             smtp: no                # enable dumping of smtp fields
>             dnp3: no                # enable dumping of DNP3 fields
> 
>             tagged-packets: no
>             xff:
>               enabled: no
>               mode: extra-data
>               deployment: reverse
>               header: X-Forwarded-For

Would get you the wanted result.

BR,
-- 
Eric Leblond <eric at regit.org>



More information about the Oisf-users mailing list