[Oisf-users] FW: [EXTERNAL] Suricata EVE logging

David Decker x.faith at gmail.com
Tue May 7 23:45:18 UTC 2019

I think I am having sort of the same problem, side note I am using
but wanted to switch the output to JSON (eve.json) which is being created,
but the alerts are not being populated.
I believe that they are still being populated for the Barnyard files (per
SO).   I know I had them both working for a few minutes but currently not
getting any thing.   here is the part from my suricata.yaml

# Extensible Event Format (nicknamed EVE) event log in JSON format
  - eve-log:
      enabled: yes
      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
      filename: suricata.json
      #prefix: "@cee: " # prefix to prepend to each log entry
      # the following are valid when type: syslog above
      #identity: "suricata"
      #facility: local5
      #level: Info ## possible levels: Emergency, Alert, Critical,
                   ## Error, Warning, Notice, Info, Debug
      #  server:
      #  port: 6379
      #  async: true ## if redis replies are read asynchronously
      #  mode: list ## possible values: list|lpush (default), rpush,
      #             ## lpush and rpush are using a Redis list. "list" is an
alias for lpush
      #             ## publish is using a Redis channel. "channel" is an
alias for publish
      #  key: suricata ## key or channel to use (default to suricata)
      # Redis pipelining set up. This will enable to only do a query every
      # 'batch-size' events. This should lower the latency induced by
      # connection at the cost of some memory. There is no flushing
      # so this setting as to be reserved to high traffic suricata.
      #  pipelining:
      #    enabled: yes ## set enable to yes to enable query pipelining
      #    batch-size: 10 ## number of entry to keep in buffer

      # Include top level metadata. Default yes.
      metadata: yes

      # include the name of the input pcap file in pcap file processing mode
      pcap-file: false

On Tue, May 7, 2019 at 4:10 PM Chris Ford <crford at gmail.com> wrote:

> Make sure that you have libjannson installed and that you have alerts
> enabled under the eve-log output section.
> https://suricata.readthedocs.io/en/suricata-4.1.3/output/eve/eve-json-output.html
> --
> Chris Ford - crford at gmail.com
> GPG Key - https://keybase.io/crford
>> *From:* Oisf-users [mailto:
>> oisf-users-bounces at lists.openinfosecfoundation.org] *On Behalf Of *Nafisa
>> Mandliwala
>> *Sent:* Tuesday, May 7, 2019 5:10 PM
>> *To:* oisf-users at lists.openinfosecfoundation.org
>> *Subject:* [Oisf-users] Suricata EVE logging
>> Hi all,
>> I have a question about suricata eve log. I tried enabling eve logging
>> (eve.json) by editing the suricata.yaml file-
>>   # Extensible Event Format (nicknamed EVE) event log in JSON format
>>   - eve-log:
>>       enabled: yes
>>       filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
>>       filename: eve.json
>> I'm not sure if I'm missing any steps but this does not generate the eve
>> log file under /var/log/suricata/. I tried playing around with
>> syslog/fast/http log and they all seem to work but not eve.
>> Is enabling the setting in suricata.yaml the only change that needs to be
>> made?
>> Thanks,
>> Nafisa
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190507/e2e707c8/attachment.html>

More information about the Oisf-users mailing list