Support #2271
closed
eve-log (JSON) correlation
Added by Roman Karpyuk over 6 years ago.
Updated over 5 years ago.
Description
Hi guys,
please provide some information, if I can combine different event_type to one event.
For example, I have event_type=alert where are containing all information about detect some anomaly. In another event_type=http/dns/tls/info can containing additional information about alert. I want that this event_types will be matched (to someone alert will matching his http/dns/tls/info).
If it's possible?
Maybe I can somehow compare this event_types with some individual key.
- Tracker changed from Bug to Support
You can match events by the flow_id field. In addition, if you enable 'metadata' in the alert record you get a lot of these records with the alert record.
- Subject changed from eve-log (JSON) to eve-log (JSON) correlation
Thanks, I will learn your information.
And one more question. Can I logging alerts with priority=1 by eve.json with additional fields and other alerts (with priority 2/3/etc.) without additional fields or another logging types like fast-log. I need this, because I use SIEM and don't want overload my licence.
No, to do this you'll have to do some filtering after Suricata produces the records, but before they are ingested by your SIEM.
- Assignee set to Anonymous
- Target version set to Support
- Status changed from New to Closed
Also available in: Atom
PDF