[Oisf-users] Add HTTP Payload to eve-log

Konstantin Klinger konstantinklinger at mailbox.org
Sun Jan 5 08:57:41 UTC 2020

Hi Felix,

which Suricata version are you running? And can you please share your suricata.yaml configuration? As far as I can see the fields http_request_body and http_response_body are supported since Suricata 4.0 in the eve json output, but you have to enable it in the configuration:

            metadata: yes             # enable inclusion of app layer metadata with alert. Default yes
            http-body: yes           # Requires metadata; enable dumping of http body in Base64
            http-body-printable: yes # Requires metadata; enable dumping of http body in printable format

For further questions on the eve json format maybe this link will help you: https://github.com/satta/suricata-json-schema
We would also be very happy for any contribution to that repo to improve the documentation of the eve json output fields.



> On January 5, 2020 at 4:20 AM Felix Müller <ffomueller at gmail.com> wrote:
> Hi,
> is it possible to add the payload of the type "http" to eve.log even 
> when the  event has not triggered an alert?
> I searched in the configuration and the documentation and it seems that 
> is only possible to get http payloads to a separate file with the option 
> "http-body-data".
> Regards
> Felix
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 475 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20200105/8c417b8d/attachment.sig>

More information about the Oisf-users mailing list