Project

General

Profile

Actions

Feature #1191

open

EVE log does not support customformat

Added by Paul Gofran over 7 years ago. Updated over 2 years ago.

Status:
New
Priority:
Normal
Target version:
Effort:
low
Difficulty:
medium
Label:

Description

HTTP logging with EVE log does not support the customformat tag. It would be beneficial to have consistent features between EVE logging and regular http-log which does support the customformat tag.

This is similar to #1150 where tls.store can not be used with EVE log.

Actions #1

Updated by Victor Julien over 7 years ago

Does this do what you need? https://github.com/inliniac/suricata/pull/956

It allows for extra logging of http headers, although it's limited to a hardcoded list currently: https://github.com/inliniac/suricata/pull/956/files#diff-544ba33b2a4e8950a3c135a9717f319dR130

Actions #2

Updated by Paul Gofran over 7 years ago

A few things that we would like to see in addition to this are some of the things identified in #602:
Cookie parsing: ex "%{Foobar}C"
Max length: ex: "%[100]{Referer}i"

Also I did not see User-Agent in this list.
If HTTP_FIELD_SIZE could be broken up into request size and response size that would also be helpful.

Actions #3

Updated by Victor Julien over 7 years ago

  • Tracker changed from Bug to Feature

UA is printed to the log by default. On the rest: sensible requests :)

Actions #4

Updated by Andreas Herz over 5 years ago

  • Assignee set to OISF Dev
  • Target version set to TBD
Actions #5

Updated by Victor Julien about 3 years ago

  • Assignee changed from OISF Dev to Anonymous
  • Effort set to low
  • Difficulty set to medium
Actions #6

Updated by Andreas Herz over 2 years ago

  • Assignee set to Community Ticket
Actions

Also available in: Atom PDF