Feature #2352
closedeve: add "metadata" field to alert (rework of vars)
Description
Re-work the "vars" object into a top-level "metadata" field that will initially contain flowbits, flowvars, flowints and pktvars. For example:
{ "metadata": { "flowbits": [ "/traffic/id/facebook", "ET.TorIP" ], "flowvars": { "flow_var0_name": "flow_var0_value", "flow_var1_name": "flow_var1_value" }, "flowints": { "flow_int0_name": 0, "flow_int1_name": 1 }, "pktvars": { "pkt_var0_name": "pkt_var0_value", "pkt_var1_name": "pkt_var1_value" } } }
Also, unlike the vars object, log this to flow/netflow event types as well. Perhaps all event types?
Updated by Victor Julien about 7 years ago
I think it can be valuable to add to all events. Perhaps optional, although I don't really like adding options everywhere.
Updated by Jason Ish about 7 years ago
Victor Julien wrote:
I think it can be valuable to add to all events. Perhaps optional, although I don't really like adding options everywhere.
I was thinking of adding something like this to eve:
# Extensible Event Format (nicknamed EVE) event log in JSON format - eve-log: enabled: @e_enable_evelog@ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis filename: eve.json # Include top level metadata. Default yes. #metadata: no types: - alert: # payload: yes # enable dumping payload in Base64 # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
This is a simple toggle at the top-level. It could later be extended to be:
metadata: []
which would be a list of what to log. [] being an empty list, so equivalen to know, or it could be:
metadata: [flowbits, flowints]
to just get the flowbits and flowints.
Each type could also specify this field I suppose. I don't want to go there now, but could be added later with compatibility issues.
Updated by Victor Julien almost 7 years ago
- Status changed from Assigned to Closed
- Target version changed from TBD to 4.1beta1