Feature #2352
closedeve: add "metadata" field to alert (rework of vars)
Description
Re-work the "vars" object into a top-level "metadata" field that will initially contain flowbits, flowvars, flowints and pktvars. For example:
{
"metadata": {
"flowbits": [
"/traffic/id/facebook",
"ET.TorIP"
],
"flowvars": {
"flow_var0_name": "flow_var0_value",
"flow_var1_name": "flow_var1_value"
},
"flowints": {
"flow_int0_name": 0,
"flow_int1_name": 1
},
"pktvars": {
"pkt_var0_name": "pkt_var0_value",
"pkt_var1_name": "pkt_var1_value"
}
}
}
Also, unlike the vars object, log this to flow/netflow event types as well. Perhaps all event types?
Updated by Victor Julien over 6 years ago
I think it can be valuable to add to all events. Perhaps optional, although I don't really like adding options everywhere.
Updated by Jason Ish over 6 years ago
Victor Julien wrote:
I think it can be valuable to add to all events. Perhaps optional, although I don't really like adding options everywhere.
I was thinking of adding something like this to eve:
# Extensible Event Format (nicknamed EVE) event log in JSON format
- eve-log:
enabled: @e_enable_evelog@
filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
filename: eve.json
# Include top level metadata. Default yes.
#metadata: no
types:
- alert:
# payload: yes # enable dumping payload in Base64
# payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
This is a simple toggle at the top-level. It could later be extended to be:
metadata: []
which would be a list of what to log. [] being an empty list, so equivalen to know, or it could be:
metadata: [flowbits, flowints]
to just get the flowbits and flowints.
Each type could also specify this field I suppose. I don't want to go there now, but could be added later with compatibility issues.
Updated by Victor Julien about 6 years ago
- Status changed from Assigned to Closed
- Target version changed from TBD to 4.1beta1