Suricata

No, this is not possible. In the future there will be a log method to log the entire http headers, http body and such. But that won't use unified2.

Ok, thx for answer, so I have problem..., because I need capture and log entire xml, maybe do You know any other methods to do this ??

In this development code branch, there is a new option to log the payloads in json: https://github.com/inliniac/suricata/pull/991 It also logs the stream, in a single buffer. Perhaps you can help test it.

thank You, I will test it

Hi Victor, I think this entry cause core dump:

- eve-log:
      enabled: yes
      filetype: file #file|syslog|unix_dgram|unix_stream
In suricata.log I can see:

30/6/2014 -- 12:19:01 - <Error> - [ERRCODE: SC_ERR_INVALID_YAML_CONF_ENTRY(139)] - Invalid entry for eve-log.type. Expected "regular" (default), "unix_stream", "pcie" or "unix_dgram"

When I change it on:

- eve-log:
      enabled: yes
      type: file #file|syslog|unix_dgram|unix_stream

suricata is running but logging of payload dosen't work...
Can You advise me what is wrong with my suricata ??

it has started working, when I changed conf:

- eve-log:
enabled: yes
type: file #file|syslog|unix_dgram|unix_stream

types:
        - alert:
            payload: yes
            payload-base64: no
            packet: yes

Is this still an issue as we released 3.0 and the json output advanced/improved a lot?
So if not we can close it :)

Hi, I didn't upgrade my suricata