Actions
Feature #1830
closed
VJ
JI
support 'tag' in eve log
Feature #1830:
support 'tag' in eve log
Description
When using the tag keyword special tag records are being written out to unified2. This way more packets than just the one triggering the alert are logged.
Eve should support the same thing. Probably through the 'alert' record with a special sid/gid like in unified2.
JI Updated by Jason Ish over 9 years ago
Actually unified2 doesn't have the special alert record with the tagged gid/sid anymore. A packet is a discrete record that contains an "event_id" and "event_second" to associate with the alert record previously seen in the unified file.
I thought we could do something similar, a "packet" eve record?
VJ Updated by Victor Julien over 9 years ago
I like the packet eve record idea.
JI Updated by Jason Ish over 9 years ago
Example packet records:
https://gist.github.com/jasonish/efa5f204ef7e46326d472271d204f107
VJ Updated by Victor Julien over 9 years ago
- Status changed from Assigned to Closed
- Target version changed from 70 to 3.1.2
Actions