Bug #1464
closedeve.json - uncommenting extra fields - 2.1beta4
Description
This is not really a bug - but more of a end user experience improvement - especially a newbie.
With the default suricata.yaml in the eve-log section - under alert:
types: - alert: # payload: yes # enable dumping payload in Base64 # payload-printable: yes # enable dumping payload in printable (lossy) format # packet: yes # enable dumping of packet (without stream segments) # http: yes # enable dumping of http fields # tls: yes # enable dumping of tls fields
if you just uncomment/enable the outputs it will lead to an err :
<Error> - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - Failed to parse configuration file at line 115: did not find expected key
This is because (due to yaml syntax) you would need to uncomment/delete the pound/hash sign and the extra space after it. Once you do that - you are good to go.
Thanks
Updated by Peter Manev almost 9 years ago
- Subject changed from eve.json - uncommenting extra fields to eve.json - uncommenting extra fields - 2.1beta4
Updated by Victor Julien almost 8 years ago
Isn't the problem here that if all 'alert' options are commented out, you'd have to remove the colon? So -alert instead of -alert:
Updated by Peter Manev almost 8 years ago
- Status changed from New to Closed
Just checked with the current master - rev 66346e4
With the config section bellow the ERR is the same
[20121] 15/6/2016 -- 14:50:05 - (conf-yaml-loader.c:179) <Error> (ConfYamlParse) -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - Failed to parse configuration file at line 161: did not find expected key
types: - alert: payload: yes # enable dumping payload in Base64 payload-buffer-size: 4kb # max size of payload buffer to output in eve-log payload-printable: yes # enable dumping payload in printable (lossy) format packet: yes # enable dumping of packet (without stream segments) http: yes # enable dumping of http fields tls: yes # enable dumping of tls fields ssh: yes # enable dumping of ssh fields smtp: yes # enable dumping of smtp fields
With the config section below:
types: - alert: payload: yes # enable dumping payload in Base64 payload-buffer-size: 4kb # max size of payload buffer to output in eve-log payload-printable: yes # enable dumping payload in printable (lossy) format packet: yes # enable dumping of packet (without stream segments) http: yes # enable dumping of http fields tls: yes # enable dumping of tls fields ssh: yes # enable dumping of ssh fields smtp: yes # enable dumping of smtp fields
There is no issue. However I think it is more visible/intuitive now with the latest changes (as compared to 2.1beta4) to the suricata.yaml how the uncommenting needs to be done in that section.
Updated by Jason Ish almost 8 years ago
So this would be better in the default suricata.yaml:
types: - alert: #payload: yes # enable dumping payload in Base64 #payload-printable: yes # enable dumping payload in printable (lossy) format #packet: yes # enable dumping of packet (without stream segments) #http: yes # enable dumping of http fields #tls: yes # enable dumping of tls fields