Bug #1464
closedeve.json - uncommenting extra fields - 2.1beta4
Description
This is not really a bug - but more of a end user experience improvement - especially a newbie.
With the default suricata.yaml in the eve-log section - under alert:
types:
- alert:
# payload: yes # enable dumping payload in Base64
# payload-printable: yes # enable dumping payload in printable (lossy) format
# packet: yes # enable dumping of packet (without stream segments)
# http: yes # enable dumping of http fields
# tls: yes # enable dumping of tls fields
if you just uncomment/enable the outputs it will lead to an err :
<Error> - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - Failed to parse configuration file at line 115: did not find expected key
This is because (due to yaml syntax) you would need to uncomment/delete the pound/hash sign and the extra space after it. Once you do that - you are good to go.
Thanks
Updated by Peter Manev almost 9 years ago
- Subject changed from eve.json - uncommenting extra fields to eve.json - uncommenting extra fields - 2.1beta4
Updated by Victor Julien almost 8 years ago
Isn't the problem here that if all 'alert' options are commented out, you'd have to remove the colon? So -alert instead of -alert:
Updated by Peter Manev almost 8 years ago
- Status changed from New to Closed
Just checked with the current master - rev 66346e4
With the config section bellow the ERR is the same
[20121] 15/6/2016 -- 14:50:05 - (conf-yaml-loader.c:179) <Error> (ConfYamlParse) -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - Failed to parse configuration file at line 161: did not find expected key
types:
- alert:
payload: yes # enable dumping payload in Base64
payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
payload-printable: yes # enable dumping payload in printable (lossy) format
packet: yes # enable dumping of packet (without stream segments)
http: yes # enable dumping of http fields
tls: yes # enable dumping of tls fields
ssh: yes # enable dumping of ssh fields
smtp: yes # enable dumping of smtp fields
With the config section below:
types:
- alert:
payload: yes # enable dumping payload in Base64
payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
payload-printable: yes # enable dumping payload in printable (lossy) format
packet: yes # enable dumping of packet (without stream segments)
http: yes # enable dumping of http fields
tls: yes # enable dumping of tls fields
ssh: yes # enable dumping of ssh fields
smtp: yes # enable dumping of smtp fields
There is no issue. However I think it is more visible/intuitive now with the latest changes (as compared to 2.1beta4) to the suricata.yaml how the uncommenting needs to be done in that section.
Updated by Jason Ish almost 8 years ago
So this would be better in the default suricata.yaml:
types:
- alert:
#payload: yes # enable dumping payload in Base64
#payload-printable: yes # enable dumping payload in printable (lossy) format
#packet: yes # enable dumping of packet (without stream segments)
#http: yes # enable dumping of http fields
#tls: yes # enable dumping of tls fields