Acked-by: Michael Tremer > On 5 Apr 2020, at 12:03, Stefan Schantl wrote: > > Hopefully the EVE log will display some more content when trying to > debug suricata events and rules. > > Fixes #12315. > > Signed-off-by: Stefan Schantl > --- > config/suricata/suricata.yaml | 209 ++++++++++++++++++++++++++++++++++ > 1 file changed, 209 insertions(+) > > diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml > index 973b2686c..1f33ea0f3 100644 > --- a/config/suricata/suricata.yaml > +++ b/config/suricata/suricata.yaml > @@ -92,6 +92,215 @@ outputs: > threads: no # per thread stats > #null-values: yes # print counters that have value 0 > > + # Extensible Event Format (nicknamed EVE) event log in JSON format > + - eve-log: > + enabled: no > + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis > + filename: eve.json > + #prefix: "@cee: " # prefix to prepend to each log entry > + # the following are valid when type: syslog above > + #identity: "suricata" > + #facility: local5 > + #level: Info ## possible levels: Emergency, Alert, Critical, > + ## Error, Warning, Notice, Info, Debug > + #redis: > + # server: 127.0.0.1 > + # port: 6379 > + # async: true ## if redis replies are read asynchronously > + # mode: list ## possible values: list|lpush (default), rpush, channel|publish > + # ## lpush and rpush are using a Redis list. "list" is an alias for lpush > + # ## publish is using a Redis channel. "channel" is an alias for publish > + # key: suricata ## key or channel to use (default to suricata) > + # Redis pipelining set up. This will enable to only do a query every > + # 'batch-size' events. This should lower the latency induced by network > + # connection at the cost of some memory. There is no flushing implemented > + # so this setting as to be reserved to high traffic suricata. > + # pipelining: > + # enabled: yes ## set enable to yes to enable query pipelining > + # batch-size: 10 ## number of entry to keep in buffer > + > + # Include top level metadata. Default yes. > + #metadata: no > + > + # include the name of the input pcap file in pcap file processing mode > + pcap-file: false > + > + # Community Flow ID > + # Adds a 'community_id' field to EVE records. These are meant to give > + # a records a predictable flow id that can be used to match records to > + # output of other tools such as Bro. > + # > + # Takes a 'seed' that needs to be same across sensors and tools > + # to make the id less predictable. > + > + # enable/disable the community id feature. > + community-id: false > + # Seed value for the ID output. Valid values are 0-65535. > + community-id-seed: 0 > + > + # HTTP X-Forwarded-For support by adding an extra field or overwriting > + # the source or destination IP address (depending on flow direction) > + # with the one reported in the X-Forwarded-For HTTP header. This is > + # helpful when reviewing alerts for traffic that is being reverse > + # or forward proxied. > + xff: > + enabled: no > + # Two operation modes are available, "extra-data" and "overwrite". > + mode: extra-data > + # Two proxy deployments are supported, "reverse" and "forward". In > + # a "reverse" deployment the IP address used is the last one, in a > + # "forward" deployment the first IP address is used. > + deployment: reverse > + # Header name where the actual IP address will be reported, if more > + # than one IP address is present, the last IP address will be the > + # one taken into consideration. > + header: X-Forwarded-For > + > + types: > + - alert: > + # payload: yes # enable dumping payload in Base64 > + # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log > + # payload-printable: yes # enable dumping payload in printable (lossy) format > + # packet: yes # enable dumping of packet (without stream segments) > + # metadata: no # enable inclusion of app layer metadata with alert. Default yes > + # http-body: yes # Requires metadata; enable dumping of http body in Base64 > + # http-body-printable: yes # Requires metadata; enable dumping of http body in printable format > + > + # Enable the logging of tagged packets for rules using the > + # "tag" keyword. > + tagged-packets: yes > + - anomaly: > + # Anomaly log records describe unexpected conditions such > + # as truncated packets, packets with invalid IP/UDP/TCP > + # length values, and other events that render the packet > + # invalid for further processing or describe unexpected > + # behavior on an established stream. Networks which > + # experience high occurrences of anomalies may experience > + # packet processing degradation. > + # > + # Anomalies are reported for the following: > + # 1. Decode: Values and conditions that are detected while > + # decoding individual packets. This includes invalid or > + # unexpected values for low-level protocol lengths as well > + # as stream related events (TCP 3-way handshake issues, > + # unexpected sequence number, etc). > + # 2. Stream: This includes stream related events (TCP > + # 3-way handshake issues, unexpected sequence number, > + # etc). > + # 3. Application layer: These denote application layer > + # specific conditions that are unexpected, invalid or are > + # unexpected given the application monitoring state. > + # > + # By default, anomaly logging is disabled. When anomaly > + # logging is enabled, applayer anomaly reporting is > + # enabled. > + enabled: yes > + # > + # Choose one or more types of anomaly logging and whether to enable > + # logging of the packet header for packet anomalies. > + types: > + # decode: no > + # stream: no > + # applayer: yes > + #packethdr: no > + - http: > + extended: yes # enable this for extended logging information > + # custom allows additional http fields to be included in eve-log > + # the example below adds three additional fields when uncommented > + #custom: [Accept-Encoding, Accept-Language, Authorization] > + # set this value to one and only one among {both, request, response} > + # to dump all http headers for every http request and/or response > + # dump-all-headers: none > + - dns: > + # This configuration uses the new DNS logging format, > + # the old configuration is still available: > + # https://suricata.readthedocs.io/en/latest/output/eve/eve-json-output.html#dns-v1-format > + > + # As of Suricata 5.0, version 2 of the eve dns output > + # format is the default. > + #version: 2 > + > + # Enable/disable this logger. Default: enabled. > + #enabled: yes > + > + # Control logging of requests and responses: > + # - requests: enable logging of DNS queries > + # - responses: enable logging of DNS answers > + # By default both requests and responses are logged. > + #requests: no > + #responses: no > + > + # Format of answer logging: > + # - detailed: array item per answer > + # - grouped: answers aggregated by type > + # Default: all > + #formats: [detailed, grouped] > + > + # Types to log, based on the query type. > + # Default: all. > + #types: [a, aaaa, cname, mx, ns, ptr, txt] > + - tls: > + extended: yes # enable this for extended logging information > + # output TLS transaction where the session is resumed using a > + # session id > + #session-resumption: no > + # custom allows to control which tls fields that are included > + # in eve-log > + #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s] > + - files: > + force-magic: no # force logging magic on all logged files > + # force logging of checksums, available hash functions are md5, > + # sha1 and sha256 > + #force-hash: [md5] > + #- drop: > + # alerts: yes # log alerts that caused drops > + # flows: all # start or all: 'start' logs only a single drop > + # # per flow direction. All logs each dropped pkt. > + - smtp: > + #extended: yes # enable this for extended logging information > + # this includes: bcc, message-id, subject, x_mailer, user-agent > + # custom fields logging from the list: > + # reply-to, bcc, message-id, subject, x-mailer, user-agent, received, > + # x-originating-ip, in-reply-to, references, importance, priority, > + # sensitivity, organization, content-md5, date > + #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc] > + # output md5 of fields: body, subject > + # for the body you need to set app-layer.protocols.smtp.mime.body-md5 > + # to yes > + #md5: [body, subject] > + > + #- dnp3 > + - ftp > + #- rdp > + - nfs > + - smb > + - tftp > + - ikev2 > + - krb5 > + - snmp > + #- sip > + - dhcp: > + enabled: yes > + # When extended mode is on, all DHCP messages are logged > + # with full detail. When extended mode is off (the > + # default), just enough information to map a MAC address > + # to an IP address is logged. > + extended: no > + - ssh > + - stats: > + totals: yes # stats for all threads merged together > + threads: no # per thread stats > + deltas: no # include delta values > + # bi-directional flows > + - flow > + # uni-directional flows > + #- netflow > + > + # Metadata event type. Triggered whenever a pktvar is saved > + # and will include the pktvars, flowvars, flowbits and > + # flowints. > + #- metadata > + > logging: > # The default log level, can be overridden in an output section. > # Note that debug level logging will only be emitted if Suricata was > -- > 2.26.0 >