Project

General

Profile

Actions
Copy link

Feature #2166

open

output: log only triggering buffers

Added by Eric Leblond almost 7 years ago. Updated almost 7 years ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Effort:
Difficulty:
Label:

Description

When adding to the alert events the protocol buffer, we provide valuable information but logging all of them will cause a serious increase in event size. So we should only log the triggering buffers.

Jason Ish is proposing the following (https://github.com/inliniac/suricata/pull/2663#issuecomment-293952371)

{
    "timestamp": ...
    "alert": ...
    "buffers": [
        {
            "name": "http_response_body",
            "data": "....",
            "data-printable": "...",
        },
        {
        ....

Actions
Copy link
 #1

Updated by Victor Julien almost 7 years ago

  • Subject changed from Log only triggering buffers to output: log only triggering buffers
Actions
Copy link
 #2

Updated by Andreas Herz almost 7 years ago

  • Assignee set to OISF Dev
  • Target version set to TBD
Actions
Copy link

Also available in: Atom PDF