[Oisf-users] Unique Alert ID when using EVE
Jason Ish
ish at unx.ca
Fri May 25 14:42:30 UTC 2018
On Fri, 2018-05-25 at 09:33 -0500, Korodev wrote:
> Hi,
>
> We've been working on migrating from Unified2 to Eve logging and are
> looking for some sort of unique identifier similar to event_id for an
> event (specifically type alert) that Suricata generates. We haven't
> dug into how event_id was traditionally generated, but is there
> anything equivalent that is commonly used?
>
> From what I can tell, some sort of hash on timestamp, flow_id, and
> sig_sid is as close as it gets, though I'm not sure if I can count on
> every generated alert to have a flow_id.
There is no eqivalent, but I think thats OK. I like to assign each
event a UUID or ULID in my process that reads events. Something you
would need to do with unified2 anyways.
Even with unified2 the event ID is not unique, I believe it starts from
1 on each restart of Suricata. Within the scope of unified2 its used to
associate a packet record (or other event records) back to an event
record. Something that is not usually required in in Eve. So even with
unified2, I'm still giving each event an ID unique to my system.
Jason
More information about the Oisf-users
mailing list