allow configuration of file-store types
files-json.log seems to get pretty big pretty quickly. It would be nice to be able to configure which types of files it will log. Alternately being able to only log the metadata for stuff with a filestore rule could be useful.
2 (2 open — 0 closed)
I could imagine 2 types of solutions here:
- add some kind of output filtering to the logger (e.g. pattern/regex match)
- allow rules to control such logging.
Personally I would prefer the latter although it's a more invasive change.
I noticed this issue with the eve-log also. Enabling file magic and hash logging to syslog for example results in logs for all filetypes despite having only one alert rule for Win32 PE files. I'd like it to only log the PE files.
- Assignee set to Anonymous
- Target version set to TBD
Contributions will be welcomed.
- Assignee set to Community Ticket
- Related to Feature #1005: conditional logging: controlling what gets logged added
- Related to Feature #2055: Optionally logging on files.json - Not log every file, only certain files that are stored and extracted added
Have you looked into the
config keyword to be able to do this ?
Also available in: Atom