[Oisf-users] Adding fields to Suricata EVE file?
Champ Clark III
cclark at quadrantsec.com
Mon Sep 23 17:13:11 UTC 2019
Thank you Jason! I'll give that a shot!
----- Original Message -----
From: "Jason Ish" <jason.ish at oisf.net>
To: "oisf-users" <oisf-users at lists.openinfosecfoundation.org>
Sent: Monday, September 23, 2019 1:00:38 PM
Subject: Re: [Oisf-users] Adding fields to Suricata EVE file?
Hi Champ,
On 2019-09-23 10:55 a.m., Champ Clark III wrote:
>
> Is it possible to add a field to the Suricata EVE file without code
> modifications? For example, let's say I want to add an EVE field of
> "sensor_location" with a value of "Jacksonville_Florida", how would I
> do this?
No, there is nothing built-in to do this. However, the idea of being
able to statically add some fields isn't a bad one.
For the example you suggest above, the configuration file does have the
"sensor-name" value which will show up in the eve-log as "host" which
might be useful.
Jason
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Conference: https://suricon.net
Trainings: https://suricata-ids.org/training/
More information about the Oisf-users
mailing list