Support #2271
closedeve-log (JSON) correlation
Description
Hi guys,
please provide some information, if I can combine different event_type to one event.
For example, I have event_type=alert where are containing all information about detect some anomaly. In another event_type=http/dns/tls/info can containing additional information about alert. I want that this event_types will be matched (to someone alert will matching his http/dns/tls/info).
If it's possible?
Maybe I can somehow compare this event_types with some individual key.
Updated by Victor Julien about 7 years ago
- Tracker changed from Bug to Support
You can match events by the flow_id field. In addition, if you enable 'metadata' in the alert record you get a lot of these records with the alert record.
Updated by Victor Julien about 7 years ago
- Subject changed from eve-log (JSON) to eve-log (JSON) correlation
Updated by Roman Karpyuk about 7 years ago
"In addition, if you enable 'metadata' in the alert record you get a lot of these records with the alert record." - about what you speak? https://redmine.openinfosecfoundation.org/projects/suricata/wiki/EveJSONOutput - There aren't any mentions about "metadata".
So, where in suricata.yaml I should enable this option?
Or, I didn't understand something.
Please, explain.
Updated by Roman Karpyuk about 7 years ago
Thanks, I will learn your information.
And one more question. Can I logging alerts with priority=1 by eve.json with additional fields and other alerts (with priority 2/3/etc.) without additional fields or another logging types like fast-log. I need this, because I use SIEM and don't want overload my licence.
Updated by Victor Julien about 7 years ago
No, to do this you'll have to do some filtering after Suricata produces the records, but before they are ingested by your SIEM.
Updated by Andreas Herz about 7 years ago
- Assignee set to Anonymous
- Target version set to Support