[Oisf-users] Unique Alert ID when using EVE
Jason Ish
ish at unx.ca
Fri May 25 15:54:29 UTC 2018
On Fri, 2018-05-25 at 10:23 -0500, Korodev wrote:
> > There is no eqivalent, but I think thats OK. I like to assign each
> > event a UUID or ULID in my process that reads events. Something you
> > would need to do with unified2 anyways.
>
> Thanks for the quick reply and all the work you around Suricata.
> Are you referring to any of your public projects that I might have
> missed? We need to easily detect when we might be re-processing
> events, so our unique id will need to key off alert attributes in
> some way.
EveBox has an eve-reader but I handled this case a little differently.
As events are committed to the database I track the line number in the
file that was most recently read, and the inode number. On restart I
can jump to the last event committed, or detect that the file has been
rolled over and I should start at the beginning again.
But for a given flow id you should see that the timestamp is always
incrementing. So that might be other an option to consider.
Jason
More information about the Oisf-users
mailing list