Task #4919
openAdd option to change sensor-name log field
Description
Currently if the sensor-name option is set, it will be logged to eve at the top level host.
This causes an issue with Filebeat which is often used to process logs. In particular this causes an issue if not using the Filebeat Suricata module that maps Suricata events to ECS.
What Filebeat will do is overwrite the host field with its own host object, losing the Suricata sensor name. Note that if using the Suricata module the host field is retained, but remapped to suricata.eve.host, so the problem isn't so bad.
Due to the popularity of Filebeat it would be nice to change the default field name used here. Something like sensor or sensor_name would be better for tools like Filebeat, but is just generally a better name for what this field is.
I'm not sure how to handle the upgrade path. Ideally newly generated configuration files would default to this new name just as the default.
Updated by Jason Ish over 2 years ago
Personally I'd like this field to default to sensor_name, with an option to rename it.
Updated by Victor Julien over 1 year ago
- Target version changed from 7.0.0-beta1 to 7.0.0-rc1
Updated by Victor Julien over 1 year ago
- Target version changed from 7.0.0-rc1 to 8.0.0-beta1