[Oisf-users] Fwd: Eve JSON vs Normal Logs

Tiago Faria tiago.faria.backups at gmail.com
Thu Dec 27 10:10:08 UTC 2018

If you’re sending data over to Splunk, you definetely want to use JSON for

Make sure to install the TA on the Splunk side and apply that sourcetype
(suricata) to your SUF configuration.

TA -

Even though it will appear to work correctly if you don’t, there will be a
few events (out of hundreds) that Splunk will fail to line break.

I’m working on putting this, and other information, on the User Guide.
Hopefully that’ll be done soon and might assist you further.

Hope it helps!


On Thu, 27 Dec 2018 at 06:38, David Decker <x.faith at gmail.com> wrote:

> Question: Is there a reason to opt to youse the normal logs vice eve json?
> Data will be going to Splunk. Taking over some work, and trying to
> understand the reasoning.
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20181227/e236c940/attachment.html>

More information about the Oisf-users mailing list