[Oisf-users] Question on eve.json file
Jason Ish
jason.ish at oisf.net
Mon Dec 2 18:53:19 UTC 2019
Hi Leonard,
On 2019-12-01 10:38 p.m., Leonard Jacobs wrote:
> I have noticed that several log items are nested under alert. In
> particular, signature and action are nested under alert. Is there a way
> to not have those log items nested under alert with eve.json file?
No, there is a not way to do this with Suricata. Post-processing tools
like Logstash could likeley be configured to make the transformation though.
Eve is a generic format with mostly generic event parameters at the top
level. Anything event_type specific is placed under the object for that
event_type.
Jason
More information about the Oisf-users
mailing list