Bug #1464
closed
eve.json - uncommenting extra fields - 2.1beta4
Added by Peter Manev almost 9 years ago.
Updated almost 8 years ago.
Description
This is not really a bug - but more of a end user experience improvement - especially a newbie.
With the default suricata.yaml in the eve-log section - under alert:
types:
- alert:
# payload: yes # enable dumping payload in Base64
# payload-printable: yes # enable dumping payload in printable (lossy) format
# packet: yes # enable dumping of packet (without stream segments)
# http: yes # enable dumping of http fields
# tls: yes # enable dumping of tls fields
if you just uncomment/enable the outputs it will lead to an err :
<Error> - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - Failed to parse configuration file at line 115: did not find expected key
This is because (due to yaml syntax) you would need to uncomment/delete the pound/hash sign and the extra space after it. Once you do that - you are good to go.
Thanks
- Subject changed from eve.json - uncommenting extra fields to eve.json - uncommenting extra fields - 2.1beta4
Isn't the problem here that if all 'alert' options are commented out, you'd have to remove the colon? So -alert instead of -alert:
- Status changed from New to Closed
Just checked with the current master - rev 66346e4
With the config section bellow the ERR is the same
[20121] 15/6/2016 -- 14:50:05 - (conf-yaml-loader.c:179) <Error> (ConfYamlParse) -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - Failed to parse configuration file at line 161: did not find expected key
types:
- alert:
payload: yes # enable dumping payload in Base64
payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
payload-printable: yes # enable dumping payload in printable (lossy) format
packet: yes # enable dumping of packet (without stream segments)
http: yes # enable dumping of http fields
tls: yes # enable dumping of tls fields
ssh: yes # enable dumping of ssh fields
smtp: yes # enable dumping of smtp fields
With the config section below:
types:
- alert:
payload: yes # enable dumping payload in Base64
payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
payload-printable: yes # enable dumping payload in printable (lossy) format
packet: yes # enable dumping of packet (without stream segments)
http: yes # enable dumping of http fields
tls: yes # enable dumping of tls fields
ssh: yes # enable dumping of ssh fields
smtp: yes # enable dumping of smtp fields
There is no issue. However I think it is more visible/intuitive now with the latest changes (as compared to 2.1beta4) to the suricata.yaml how the uncommenting needs to be done in that section.
So this would be better in the default suricata.yaml:
types:
- alert:
#payload: yes # enable dumping payload in Base64
#payload-printable: yes # enable dumping payload in printable (lossy) format
#packet: yes # enable dumping of packet (without stream segments)
#http: yes # enable dumping of http fields
#tls: yes # enable dumping of tls fields
Also available in: Atom
PDF