[Oisf-users] eve.log including only alert messages
박경호
pgh5247 at naver.com
Wed Mar 22 07:14:23 UTC 2017
Thank you for your comments.
i got the wanted result to comment the unnecessary parts in yaml.
-----Original Message-----
From: "Eric Leblond"<eric at regit.org>
To: "박경호"<pgh5247 at naver.com>; <oisf-users at lists.openinfosecfoundation.org>;
Cc:
Sent: 2017-03-20 (월) 16:40:11
Subject: Re: [Oisf-users] eve.log including only alert messages
Hi,
On Mon, 2017-03-20 at 12:48 +0900, 박경호 wrote:
>
> how should i set up the suricata.yaml for having the eve.log file
> that contains only alert messages?
> (suricata version : 3.2.0)
>
> i set up the suricata.yaml like below, but the eve.log file include
> the other messages that event-type is state, http or tls, etc....
>
> outputs:
> # a line based alerts log similar to Snort's fast.log
> - fast:
> enabled: no
> filename: fast.log
> append: no
> filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
Simply comment or remove unwanted output. For example:
> # Extensible Event Format (nicknamed EVE) event log in JSON format
> - eve-log:
> enabled: yes
> filetype: regular
> filename: eve.json
> level: Alert
>
> types:
> - alert:
> http: no # enable dumping of http fields
> tls: no # enable dumping of tls fields
> ssh: no # enable dumping of ssh fields
> smtp: no # enable dumping of smtp fields
> dnp3: no # enable dumping of DNP3 fields
>
> tagged-packets: no
> xff:
> enabled: no
> mode: extra-data
> deployment: reverse
> header: X-Forwarded-For
Would get you the wanted result.
BR,
--
Eric Leblond <eric at regit.org>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170322/482b2a37/attachment-0002.html>
More information about the Oisf-users
mailing list