[Oisf-users] Is it Possible Rename/Alias Fields in eve.json ?
Jason Ish
jason.ish at oisf.net
Wed Oct 2 18:44:45 UTC 2019
Hi John,
On 2019-10-02 10:41 a.m., John Peters wrote:
> This one came up out from the guys running our log aggregator, but is is
> possible to rename the field written to eve.json either using an alias
> or tweaking suricata.yaml? I've tried looking a bit, but suspect it's
> either not possible or I'm just not using the right terms.
>
> For example, host: is throwing their aggregator off because it happens
> to be a reserved word, so they have to run some script on their side to
> translate the host: field in eve.json to another name. They'd like to
> see if it's possible to change the name because it'll help reduce cycles
> on their already strapped system. ie, instead of writing
> host:"foo.bar.com <http://foo.bar.com>", write myhost:"foo.bar.com
> <http://foo.bar.com>"
No. There is no way to do this within Suricata. The usual approach would
be for the tool reading the logs to do some on-the-fly transformations.
Logstash is capable of this. I'm not really familiar with other tools
other than custom scripts, like you mention.
Jason
More information about the Oisf-users
mailing list