Feature #1191
closedEVE log does not support customformat
Description
HTTP logging with EVE log does not support the customformat tag. It would be beneficial to have consistent features between EVE logging and regular http-log which does support the customformat tag.
This is similar to #1150 where tls.store can not be used with EVE log.
VJ Updated by Victor Julien about 12 years ago
Does this do what you need? https://github.com/inliniac/suricata/pull/956
It allows for extra logging of http headers, although it's limited to a hardcoded list currently: https://github.com/inliniac/suricata/pull/956/files#diff-544ba33b2a4e8950a3c135a9717f319dR130
PG Updated by Paul Gofran about 12 years ago
A few things that we would like to see in addition to this are some of the things identified in #602:
Cookie parsing: ex "%{Foobar}C"
Max length: ex: "%[100]{Referer}i"
Also I did not see User-Agent in this list.
If HTTP_FIELD_SIZE could be broken up into request size and response size that would also be helpful.
VJ Updated by Victor Julien about 12 years ago
- Tracker changed from Bug to Feature
UA is printed to the log by default. On the rest: sensible requests :)
AH Updated by Andreas Herz over 10 years ago
- Assignee set to OISF Dev
- Target version set to TBD
VJ Updated by Victor Julien almost 8 years ago
- Assignee changed from OISF Dev to Anonymous
- Effort set to low
- Difficulty set to medium
AH Updated by Andreas Herz over 7 years ago
- Assignee set to Community Ticket
JI Updated by Jason Ish 5 days ago
- Related to Task #7232: http-log: remove added
JI Updated by Jason Ish 5 days ago
- Status changed from New to Rejected
Closing as rejected, as I don't think a custom format makes sense for the EVE log. EVE is structured output; instead of allowing custom formats, we add more fields that then allow custom formats to be built up in post-processing. If we are missing fields, please open a new ticket specifically for the fields you are interested in having logged.