Feature #821
openconditional logging: output steering
Description
I would like to be able to log (or not) in various formats on a rule-by-rule basis. For example, I would like to see all HTTP requests directed at a particular sinkhole. It would be nice if I could simply add a rule like this:
alert tcp $HOME_NET any -> $SINKHOLE_NET 80 (msg:"Sinkhole HTTP"; content:"GET /"; log:http;)
Or better yet, I'd like to be able to define my own log keywords in suricata.yaml in order to direct debug, pcap, or http logging at different files for different rules.
outputs: - debug1 format: alert-debug enabled: conditional # 'yes' - enable for all alerts, 'no' - disable, 'conditional' - enable for rules using a log keyword filename: alert-debug1.log append: yes filetype: regular - sinkhole-http format: http-log enabled: conditional filename: sinkhole-http.log append: yes
alert tcp $HOME_NET any -> $SINKHOLE_NET 80 (msg:"Sinkhole HTTP"; content:"GET /"; log:sinkhole-http;)
alert tcp any 84 -> $HOME_NET any (msg:"Investigating strange traffic"; log:debug1;)
Updated by Andreas Herz over 7 years ago
- Related to Feature #1005: conditional logging: controlling what gets logged added
Updated by Andreas Herz over 7 years ago
- Related to Feature #1005: conditional logging: controlling what gets logged added
Updated by Andreas Herz over 7 years ago
- Related to deleted (Feature #1005: conditional logging: controlling what gets logged)
Updated by Victor Julien over 6 years ago
- Assignee changed from OISF Dev to Anonymous
- Effort set to medium
- Difficulty set to high
Updated by Victor Julien about 5 years ago
What about a option to make a logger depend on the presence of a flowbit? Then rules can set this.
Updated by Victor Julien about 5 years ago
- Subject changed from Conditional logging to conditional logging: output steering
Updated by Victor Julien about 4 years ago
- Related to Feature #4172: Split eve.json into multiple files based on alert severity added
Updated by Philippe Antoine over 1 year ago
Not sure I get this log
rules keyword expected functionality
I think there are metadata keywords that can be used in post processing json to split the output