[Oisf-users] Unique Alert ID when using EVE

[Korodev]

Hi,

We've been working on migrating from Unified2 to Eve logging and are
looking for some sort of unique identifier similar to event_id for an
event (specifically type alert) that Suricata generates. We haven't
dug into how event_id was traditionally generated, but is there
anything equivalent that is commonly used?

>From what I can tell, some sort of hash on timestamp, flow_id, and
sig_sid is as close as it gets, though I'm not sure if I can count on
every generated alert to have a flow_id.

\\korodev