Support #2271
closedeve-log (JSON) correlation
Description
Hi guys,
please provide some information, if I can combine different event_type to one event.
For example, I have event_type=alert where are containing all information about detect some anomaly. In another event_type=http/dns/tls/info can containing additional information about alert. I want that this event_types will be matched (to someone alert will matching his http/dns/tls/info).
If it's possible?
Maybe I can somehow compare this event_types with some individual key.
VJ Updated by Victor Julien over 8 years ago
- Tracker changed from Bug to Support
You can match events by the flow_id field. In addition, if you enable 'metadata' in the alert record you get a lot of these records with the alert record.
VJ Updated by Victor Julien over 8 years ago
- Subject changed from eve-log (JSON) to eve-log (JSON) correlation
RK Updated by Roman Karpyuk over 8 years ago
"In addition, if you enable 'metadata' in the alert record you get a lot of these records with the alert record." - about what you speak? https://redmine.openinfosecfoundation.org/projects/suricata/wiki/EveJSONOutput - There aren't any mentions about "metadata".
So, where in suricata.yaml I should enable this option?
Or, I didn't understand something.
Please, explain.
RK Updated by Roman Karpyuk over 8 years ago
Thanks, I will learn your information.
And one more question. Can I logging alerts with priority=1 by eve.json with additional fields and other alerts (with priority 2/3/etc.) without additional fields or another logging types like fast-log. I need this, because I use SIEM and don't want overload my licence.
VJ Updated by Victor Julien over 8 years ago
No, to do this you'll have to do some filtering after Suricata produces the records, but before they are ingested by your SIEM.
AH Updated by Andreas Herz over 8 years ago
- Assignee set to Anonymous
- Target version set to Support
VJ Updated by Victor Julien over 7 years ago
- Status changed from New to Closed