Add option to change sensor-name log field
Currently if the
sensor-name option is set, it will be logged to eve at the top level
This causes an issue with Filebeat which is often used to process logs. In particular this causes an issue if not using the Filebeat Suricata module that maps Suricata events to ECS.
What Filebeat will do is overwrite the
host field with its own
host object, losing the Suricata sensor name. Note that if using the Suricata module the
host field is retained, but remapped to
suricata.eve.host, so the problem isn't so bad.
Due to the popularity of Filebeat it would be nice to change the default field name used here. Something like
sensor_name would be better for tools like Filebeat, but is just generally a better name for what this field is.
I'm not sure how to handle the upgrade path. Ideally newly generated configuration files would default to this new name just as the default.
Updated by Jason Ish over 1 year ago
Personally I'd like this field to default to
sensor_name, with an option to rename it.
Updated by Victor Julien 8 months ago
- Target version changed from 7.0.0-beta1 to 7.0.0-rc1
Updated by Victor Julien 6 months ago
- Target version changed from 7.0.0-rc1 to 8.0.0-beta1