[Oisf-users] eve.log including only alert messages
Eric Leblond
eric at regit.org
Mon Mar 20 07:40:11 UTC 2017
Hi,
On Mon, 2017-03-20 at 12:48 +0900, 박경호 wrote:
>
> how should i set up the suricata.yaml for having the eve.log file
> that contains only alert messages?
> (suricata version : 3.2.0)
>
> i set up the suricata.yaml like below, but the eve.log file include
> the other messages that event-type is state, http or tls, etc....
>
> outputs:
> # a line based alerts log similar to Snort's fast.log
> - fast:
> enabled: no
> filename: fast.log
> append: no
> filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
Simply comment or remove unwanted output. For example:
> # Extensible Event Format (nicknamed EVE) event log in JSON format
> - eve-log:
> enabled: yes
> filetype: regular
> filename: eve.json
> level: Alert
>
> types:
> - alert:
> http: no # enable dumping of http fields
> tls: no # enable dumping of tls fields
> ssh: no # enable dumping of ssh fields
> smtp: no # enable dumping of smtp fields
> dnp3: no # enable dumping of DNP3 fields
>
> tagged-packets: no
> xff:
> enabled: no
> mode: extra-data
> deployment: reverse
> header: X-Forwarded-For
Would get you the wanted result.
BR,
--
Eric Leblond <eric at regit.org>
More information about the Oisf-users
mailing list