[Oisf-users] FW: [EXTERNAL] Suricata EVE logging
David Decker
x.faith at gmail.com
Tue May 7 23:45:18 UTC 2019
I think I am having sort of the same problem, side note I am using
SecurityOnion.
but wanted to switch the output to JSON (eve.json) which is being created,
but the alerts are not being populated.
I believe that they are still being populated for the Barnyard files (per
SO). I know I had them both working for a few minutes but currently not
getting any thing. here is the part from my suricata.yaml
# Extensible Event Format (nicknamed EVE) event log in JSON format
- eve-log:
enabled: yes
filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
filename: suricata.json
#prefix: "@cee: " # prefix to prepend to each log entry
# the following are valid when type: syslog above
#identity: "suricata"
#facility: local5
#level: Info ## possible levels: Emergency, Alert, Critical,
## Error, Warning, Notice, Info, Debug
#redis:
# server: 127.0.0.1
# port: 6379
# async: true ## if redis replies are read asynchronously
# mode: list ## possible values: list|lpush (default), rpush,
channel|publish
# ## lpush and rpush are using a Redis list. "list" is an
alias for lpush
# ## publish is using a Redis channel. "channel" is an
alias for publish
# key: suricata ## key or channel to use (default to suricata)
# Redis pipelining set up. This will enable to only do a query every
# 'batch-size' events. This should lower the latency induced by
network
# connection at the cost of some memory. There is no flushing
implemented
# so this setting as to be reserved to high traffic suricata.
# pipelining:
# enabled: yes ## set enable to yes to enable query pipelining
# batch-size: 10 ## number of entry to keep in buffer
# Include top level metadata. Default yes.
metadata: yes
# include the name of the input pcap file in pcap file processing mode
pcap-file: false
On Tue, May 7, 2019 at 4:10 PM Chris Ford <crford at gmail.com> wrote:
> Make sure that you have libjannson installed and that you have alerts
> enabled under the eve-log output section.
>
>
> https://suricata.readthedocs.io/en/suricata-4.1.3/output/eve/eve-json-output.html
> --
> Chris Ford - crford at gmail.com
> GPG Key - https://keybase.io/crford
>
>
>
>> *From:* Oisf-users [mailto:
>> oisf-users-bounces at lists.openinfosecfoundation.org] *On Behalf Of *Nafisa
>> Mandliwala
>> *Sent:* Tuesday, May 7, 2019 5:10 PM
>> *To:* oisf-users at lists.openinfosecfoundation.org
>> *Subject:* [Oisf-users] Suricata EVE logging
>>
>>
>>
>> Hi all,
>>
>>
>>
>> I have a question about suricata eve log. I tried enabling eve logging
>> (eve.json) by editing the suricata.yaml file-
>>
>>
>>
>> # Extensible Event Format (nicknamed EVE) event log in JSON format
>>
>> - eve-log:
>>
>> enabled: yes
>>
>> filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
>>
>> filename: eve.json
>>
>>
>>
>> I'm not sure if I'm missing any steps but this does not generate the eve
>> log file under /var/log/suricata/. I tried playing around with
>> syslog/fast/http log and they all seem to work but not eve.
>>
>> Is enabling the setting in suricata.yaml the only change that needs to be
>> made?
>>
>>
>>
>> Thanks,
>>
>> Nafisa
>>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190507/e2e707c8/attachment.html>
More information about the Oisf-users
mailing list