|
|
|
|
@ -3,14 +3,16 @@
|
|
|
|
|
Eve JSON Output
|
|
|
|
|
===============
|
|
|
|
|
|
|
|
|
|
Suricata can output alerts, http events, dns events, tls events and file info through json.
|
|
|
|
|
The EVE output facility outputs alerts, metadata, file info and protocol
|
|
|
|
|
specific records through JSON.
|
|
|
|
|
|
|
|
|
|
The most common way to use this is through 'EVE', which is a firehose approach where all these logs go into a single file.
|
|
|
|
|
The most common way to use this is through 'EVE', which is a firehose approach
|
|
|
|
|
where all these logs go into a single file.
|
|
|
|
|
|
|
|
|
|
.. literalinclude:: ../../partials/eve-log.yaml
|
|
|
|
|
|
|
|
|
|
Each alert, http log, etc will go into this one file: 'eve.json'. This file
|
|
|
|
|
can then be processed by 3rd party tools like Logstash or jq.
|
|
|
|
|
can then be processed by 3rd party tools like Logstash (ELK) or jq.
|
|
|
|
|
|
|
|
|
|
Output types
|
|
|
|
|
~~~~~~~~~~~~
|
|
|
|
|
@ -265,3 +267,71 @@ Several flags can be specified to control the JSON output in EVE:
|
|
|
|
|
escape-slash: yes
|
|
|
|
|
|
|
|
|
|
All these flags are enabled by default, and can be modified per EVE instance.
|
|
|
|
|
|
|
|
|
|
Community Flow ID
|
|
|
|
|
~~~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
|
|
Often Suricata is used in combination with other tools like Bro/Zeek. Enabling
|
|
|
|
|
the community-id option in the eve-log section adds a new ``community_id``
|
|
|
|
|
field to each output.
|
|
|
|
|
|
|
|
|
|
Example::
|
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
"timestamp": "2003-12-16T13:21:44.891921+0000",
|
|
|
|
|
"flow_id": 1332028388187153,
|
|
|
|
|
"pcap_cnt": 1,
|
|
|
|
|
"event_type": "alert",
|
|
|
|
|
...
|
|
|
|
|
"community_id": "1:LQU9qZlK+B5F3KDmev6m5PMibrg=",
|
|
|
|
|
"alert": {
|
|
|
|
|
"action": "allowed",
|
|
|
|
|
"gid": 1,
|
|
|
|
|
"signature_id": 1,
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
{
|
|
|
|
|
"timestamp": "2003-12-16T13:21:45.037333+0000",
|
|
|
|
|
"flow_id": 1332028388187153,
|
|
|
|
|
"event_type": "flow",
|
|
|
|
|
"flow": {
|
|
|
|
|
"pkts_toserver": 5,
|
|
|
|
|
"pkts_toclient": 4,
|
|
|
|
|
"bytes_toserver": 338,
|
|
|
|
|
"bytes_toclient": 272,
|
|
|
|
|
"start": "2003-12-16T13:21:44.891921+0000",
|
|
|
|
|
"end": "2003-12-16T13:21:45.346457+0000",
|
|
|
|
|
"age": 1,
|
|
|
|
|
"state": "closed",
|
|
|
|
|
"reason": "shutdown",
|
|
|
|
|
"alerted": true
|
|
|
|
|
},
|
|
|
|
|
"community_id": "1:LQU9qZlK+B5F3KDmev6m5PMibrg=",
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
Options
|
|
|
|
|
"""""""
|
|
|
|
|
|
|
|
|
|
The output can be enabled per instance of the EVE logger.
|
|
|
|
|
|
|
|
|
|
The ``community-id`` option is boolean. If set to ``true`` it is enabled.
|
|
|
|
|
The ``community-id-seed`` option specifies a unsigned 16 bit value that
|
|
|
|
|
is used a seed to the hash that is calculated for the ``community-id``
|
|
|
|
|
output. This must be set to the same value on all tools that output this
|
|
|
|
|
record.
|
|
|
|
|
|
|
|
|
|
YAML::
|
|
|
|
|
|
|
|
|
|
- eve-log:
|
|
|
|
|
# Community Flow ID
|
|
|
|
|
# Adds a 'community_id' field to EVE records. These are meant to give
|
|
|
|
|
# a records a predictable flow id that can be used to match records to
|
|
|
|
|
# output of other tools such as Bro.
|
|
|
|
|
#
|
|
|
|
|
# Takes a 'seed' that needs to be same across sensors and tools
|
|
|
|
|
# to make the id less predictable.
|
|
|
|
|
|
|
|
|
|
# enable/disable the community id feature.
|
|
|
|
|
community-id: false
|
|
|
|
|
# Seed value for the ID output. Valid values are 0-65535.
|
|
|
|
|
community-id-seed: 0
|
|
|
|
|
|
Victor Julien
7 years ago