Optimization #5680: eve-log: reduce duplication of info - Suricata - Open Information Security Foundation

Actions

Copy link

Optimization #5680

open

JF CT

eve-log: reduce duplication of info

Optimization #5680: eve-log: reduce duplication of info

Added by Juliana Fajardini Reichow over 3 years ago. Updated over 3 years ago.

Status:

New

Priority:

Normal

Assignee:

Community Ticket

Target version:

TBD

Effort:

Difficulty:

Label:

Description

Eg: just keep flow id or community id for HTTP logs, for instance, and this would hold the info for the correlated events.

Related issues 1 (1 open — 0 closed)

JF Updated by Juliana Fajardini Reichow over 3 years ago Actions
Copy link
#1

Related to Task #5488: Suricon 2022 brainstorm added

VJ Updated by Victor Julien over 3 years ago Actions
Copy link
#2

The request was in part to reduce IO pressure, which I understand, but I also feel this is mostly a post-processing function. See the work by the vast.io folks to compress data for example.

I would like to avoid a runtime cost by suricata to do any kind of de-duplication. Perhaps simply having more control over which fields are logged per eve type are enough?

VJ Updated by Victor Julien over 3 years ago Actions
Copy link
#3

Assignee changed from OISF Dev to Community Ticket

Actions

Copy link

Also available in: PDF Atom

Project

General

Profile

Suricata

Custom queries