[Oisf-users] FW: [EXTERNAL] Suricata EVE logging

Peter Manev petermanev at gmail.com
Thu May 9 19:16:01 UTC 2019 


> On 8 May 2019, at 01:45, David Decker <x.faith at gmail.com> wrote:
> 
> I think I am having sort of the same problem, side note I am using SecurityOnion. 
> but wanted to switch the output to JSON (eve.json) which is being created, but the alerts are not being populated.  

The should be present in the JSON log as “event_type”:”alert” is that the case ?

What is the output of “suricata —build-info”?


> I believe that they are still being populated for the Barnyard files (per SO).   I know I had them both working for a few minutes but currently not getting any thing.   here is the part from my suricata.yaml
> 
> # Extensible Event Format (nicknamed EVE) event log in JSON format
>   - eve-log:
>       enabled: yes
>       filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
>       filename: suricata.json
>       #prefix: "@cee: " # prefix to prepend to each log entry
>       # the following are valid when type: syslog above
>       #identity: "suricata"
>       #facility: local5
>       #level: Info ## possible levels: Emergency, Alert, Critical,
>                    ## Error, Warning, Notice, Info, Debug
>       #redis:
>       #  server: 127.0.0.1
>       #  port: 6379
>       #  async: true ## if redis replies are read asynchronously
>       #  mode: list ## possible values: list|lpush (default), rpush, channel|publish
>       #             ## lpush and rpush are using a Redis list. "list" is an alias for lpush
>       #             ## publish is using a Redis channel. "channel" is an alias for publish
>       #  key: suricata ## key or channel to use (default to suricata)
>       # Redis pipelining set up. This will enable to only do a query every
>       # 'batch-size' events. This should lower the latency induced by network
>       # connection at the cost of some memory. There is no flushing implemented
>       # so this setting as to be reserved to high traffic suricata.
>       #  pipelining:
>       #    enabled: yes ## set enable to yes to enable query pipelining
>       #    batch-size: 10 ## number of entry to keep in buffer
> 
>       # Include top level metadata. Default yes.
>       metadata: yes
> 
>       # include the name of the input pcap file in pcap file processing mode
>       pcap-file: false
> 
>> On Tue, May 7, 2019 at 4:10 PM Chris Ford <crford at gmail.com> wrote:
>> Make sure that you have libjannson installed and that you have alerts enabled under the eve-log output section.
>> 
>> https://suricata.readthedocs.io/en/suricata-4.1.3/output/eve/eve-json-output.html
>> --
>> Chris Ford - crford at gmail.com
>> GPG Key - https://keybase.io/crford
>> 
>>  
>>> From: Oisf-users [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf Of Nafisa Mandliwala
>>> Sent: Tuesday, May 7, 2019 5:10 PM
>>> To: oisf-users at lists.openinfosecfoundation.org
>>> Subject: [Oisf-users] Suricata EVE logging
>>> 
>>>  
>>> 
>>> Hi all,
>>> 
>>>  
>>> 
>>> I have a question about suricata eve log. I tried enabling eve logging (eve.json) by editing the suricata.yaml file-
>>> 
>>>  
>>> 
>>>   # Extensible Event Format (nicknamed EVE) event log in JSON format
>>> 
>>>   - eve-log:
>>> 
>>>       enabled: yes
>>> 
>>>       filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
>>> 
>>>       filename: eve.json
>>> 
>>>  
>>> 
>>> I'm not sure if I'm missing any steps but this does not generate the eve log file under /var/log/suricata/. I tried playing around with syslog/fast/http log and they all seem to work but not eve.
>>> 
>>> Is enabling the setting in suricata.yaml the only change that needs to be made?
>>> 
>>>  
>>> 
>>> Thanks,
>>> 
>>> Nafisa
>>> 
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> 
>> Conference: https://suricon.net
>> Trainings: https://suricata-ids.org/training/
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> 
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190509/f4ca1b29/attachment.html>

More information about the Oisf-users mailing list