Project

General

Profile

Actions

Support #2271

closed

eve-log (JSON) correlation

Added by Roman Karpyuk about 7 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Affected Versions:
Label:

Description

Hi guys,
please provide some information, if I can combine different event_type to one event.
For example, I have event_type=alert where are containing all information about detect some anomaly. In another event_type=http/dns/tls/info can containing additional information about alert. I want that this event_types will be matched (to someone alert will matching his http/dns/tls/info).
If it's possible?
Maybe I can somehow compare this event_types with some individual key.

Actions #1

Updated by Victor Julien about 7 years ago

  • Tracker changed from Bug to Support

You can match events by the flow_id field. In addition, if you enable 'metadata' in the alert record you get a lot of these records with the alert record.

Actions #2

Updated by Victor Julien about 7 years ago

  • Subject changed from eve-log (JSON) to eve-log (JSON) correlation
Actions #3

Updated by Roman Karpyuk about 7 years ago

"In addition, if you enable 'metadata' in the alert record you get a lot of these records with the alert record." - about what you speak? https://redmine.openinfosecfoundation.org/projects/suricata/wiki/EveJSONOutput - There aren't any mentions about "metadata".
So, where in suricata.yaml I should enable this option?
Or, I didn't understand something.
Please, explain.

Actions #5

Updated by Roman Karpyuk about 7 years ago

Thanks, I will learn your information.

And one more question. Can I logging alerts with priority=1 by eve.json with additional fields and other alerts (with priority 2/3/etc.) without additional fields or another logging types like fast-log. I need this, because I use SIEM and don't want overload my licence.

Actions #6

Updated by Victor Julien about 7 years ago

No, to do this you'll have to do some filtering after Suricata produces the records, but before they are ingested by your SIEM.

Actions #7

Updated by Andreas Herz about 7 years ago

  • Assignee set to Anonymous
  • Target version set to Support
Actions #8

Updated by Victor Julien about 6 years ago

  • Status changed from New to Closed
Actions

Also available in: Atom PDF