summaryrefslogtreecommitdiffstats
path: root/doc/userguide/partials/eve-log.yaml
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-19 17:39:49 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-19 17:39:49 +0000
commita0aa2307322cd47bbf416810ac0292925e03be87 (patch)
tree37076262a026c4b48c8a0e84f44ff9187556ca35 /doc/userguide/partials/eve-log.yaml
parentInitial commit. (diff)
downloadsuricata-a0aa2307322cd47bbf416810ac0292925e03be87.tar.xz
suricata-a0aa2307322cd47bbf416810ac0292925e03be87.zip
Adding upstream version 1:7.0.3.upstream/1%7.0.3
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'doc/userguide/partials/eve-log.yaml')
-rw-r--r--doc/userguide/partials/eve-log.yaml187
1 files changed, 187 insertions, 0 deletions
diff --git a/doc/userguide/partials/eve-log.yaml b/doc/userguide/partials/eve-log.yaml
new file mode 100644
index 0000000..9652257
--- /dev/null
+++ b/doc/userguide/partials/eve-log.yaml
@@ -0,0 +1,187 @@
+outputs:
+ # Extensible Event Format (nicknamed EVE) event log in JSON format
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ # Enable for multi-threaded eve.json output; output files are amended
+ # with an identifier, e.g., eve.9.json
+ #threaded: false
+ #prefix: "@cee: " # prefix to prepend to each log entry
+ # the following are valid when type: syslog above
+ #identity: "suricata"
+ #facility: local5
+ #level: Info ## possible levels: Emergency, Alert, Critical,
+ ## Error, Warning, Notice, Info, Debug
+ #redis:
+ # server: 127.0.0.1
+ # port: 6379
+ # async: true ## if redis replies are read asynchronously
+ # mode: list ## possible values: list|lpush (default), rpush, channel|publish
+ # ## lpush and rpush are using a Redis list. "list" is an alias for lpush
+ # ## publish is using a Redis channel. "channel" is an alias for publish
+ # key: suricata ## key or channel to use (default to suricata)
+ # Redis pipelining set up. This will enable to only do a query every
+ # 'batch-size' events. This should lower the latency induced by network
+ # connection at the cost of some memory. There is no flushing implemented
+ # so this setting as to be reserved to high traffic suricata.
+ # pipelining:
+ # enabled: yes ## set enable to yes to enable query pipelining
+ # batch-size: 10 ## number of entry to keep in buffer
+
+ # Include top level metadata. Default yes.
+ #metadata: no
+
+ types:
+ - alert:
+ # payload: yes # enable dumping payload in Base64
+ # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
+ # payload-printable: yes # enable dumping payload in printable (lossy) format
+ # packet: yes # enable dumping of packet (without stream segments)
+ # http-body: yes # Requires metadata; enable dumping of http body in Base64
+ # http-body-printable: yes # Requires metadata; enable dumping of http body in printable format
+
+ # Enable the logging of tagged packets for rules using the
+ # "tag" keyword.
+ tagged-packets: yes
+
+ # Configure the metadata to be logged along with an
+ # alert. The following shows the default configuration
+ # which is used if this field is not provided or simply
+ # set to a truthful value. Setting of this section is only
+ # required if you wish to enable/disable specific fields.
+ #metadata:
+
+ # Include the decoded application layer (ie. http, dns)
+ app-layer: true
+
+ # Log the current state of the flow record.
+ flow: true
+
+ rule:
+ # Log the metadata field from the rule in a structured
+ # format.
+ metadata: true
+
+ # Log the raw rule text.
+ raw: false
+
+ # HTTP X-Forwarded-For support by adding an extra field or overwriting
+ # the source or destination IP address (depending on flow direction)
+ # with the one reported in the X-Forwarded-For HTTP header. This is
+ # helpful when reviewing alerts for traffic that is being reverse
+ # or forward proxied.
+ xff:
+ enabled: no
+ # Two operation modes are available, "extra-data" and "overwrite".
+ mode: extra-data
+ # Two proxy deployments are supported, "reverse" and "forward". In
+ # a "reverse" deployment the IP address used is the last one, in a
+ # "forward" deployment the first IP address is used.
+ deployment: reverse
+ # Header name where the actual IP address will be reported, if more
+ # than one IP address is present, the last IP address will be the
+ # one taken into consideration.
+ header: X-Forwarded-For
+ - http:
+ extended: yes # enable this for extended logging information
+ # custom allows additional http fields to be included in eve-log
+ # the example below adds three additional fields when uncommented
+ #custom: [Accept-Encoding, Accept-Language, Authorization]
+ - dns:
+ # Use version 2 logging with the new format:
+ # dns answers will be logged in one single event
+ # rather than an event for each of the answers.
+ # Without setting a version the version
+ # will fallback to 1 for backwards compatibility.
+ version: 2
+
+ # Enable/disable this logger. Default: enabled.
+ #enabled: no
+
+ # Control logging of requests and responses:
+ # - requests: enable logging of DNS queries
+ # - responses: enable logging of DNS answers
+ # By default both requests and responses are logged.
+ #requests: no
+ #responses: no
+
+ # Format of answer logging:
+ # - detailed: array item per answer
+ # - grouped: answers aggregated by type
+ # Default: all
+ #answer-format: [detailed, grouped]
+
+ # Answer types to log.
+ # Default: all
+ #answer-types: [a, aaaa, cname, mx, ns, ptr, txt]
+ - dns:
+ # Version 1 DNS logger.
+ # Deprecated: Will be removed by May 2022.
+ version: 1
+
+ enabled: no
+ # control logging of queries and answers
+ # default yes, no to disable
+ query: yes # enable logging of DNS queries
+ answer: yes # enable logging of DNS answers
+ # control which RR types are logged
+ # all enabled if custom not specified
+ #custom: [a, aaaa, cname, mx, ns, ptr, txt]
+ - tls:
+ extended: yes # enable this for extended logging information
+ # output TLS transaction where the session is resumed using a
+ # session id
+ #session-resumption: no
+ # custom allows to control which tls fields that are included
+ # in eve-log
+ #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain]
+ - files:
+ force-magic: no # force logging magic on all logged files
+ # force logging of checksums, available hash functions are md5,
+ # sha1 and sha256
+ #force-hash: [md5]
+ #- drop:
+ # alerts: yes # log alerts that caused drops
+ # flows: all # start or all: 'start' logs only a single drop
+ # # per flow direction. All logs each dropped pkt.
+ - smtp:
+ #extended: yes # enable this for extended logging information
+ # this includes: bcc, message-id, subject, x_mailer, user-agent
+ # custom fields logging from the list:
+ # reply-to, bcc, message-id, subject, x-mailer, user-agent, received,
+ # x-originating-ip, in-reply-to, references, importance, priority,
+ # sensitivity, organization, content-md5, date
+ #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc]
+ # output md5 of fields: body, subject
+ # for the body you need to set app-layer.protocols.smtp.mime.body-md5
+ # to yes
+ #md5: [body, subject]
+
+ # NFS logging.
+ - nfs
+ # IKE logging.
+ - ike
+ # BitTorrent DHT logging.
+ - bittorrent-dht
+ - ssh
+ - stats:
+ totals: yes # stats for all threads merged together
+ threads: no # per thread stats
+ deltas: no # include delta values
+ - dhcp:
+ # DHCP logging.
+ enabled: yes
+ # When extended mode is on, all DHCP messages are logged
+ # with full detail. When extended mode is off (the
+ # default), just enough information to map a MAC address
+ # to an IP address is logged.
+ extended: no
+ # bi-directional flows
+ - flow
+ # uni-directional flows
+ #- netflow
+
+ # An event for logging metadata, specifically pktvars when
+ # they are set, but will also include the full metadata object.
+ #- metadata