Project

General

Profile

Actions
Copy link

Feature #821

open
MC CT

conditional logging: output steering

Feature #821: conditional logging: output steering

Added by Matt Carothers almost 13 years ago. Updated over 2 years ago.

Status:
New
Priority:
Normal
Assignee:
Community Ticket
Target version:
TBD
Effort:
medium
Difficulty:
high
Label:

Description

I would like to be able to log (or not) in various formats on a rule-by-rule basis. For example, I would like to see all HTTP requests directed at a particular sinkhole. It would be nice if I could simply add a rule like this:

alert tcp $HOME_NET any -> $SINKHOLE_NET 80 (msg:"Sinkhole HTTP"; content:"GET /"; log:http;)

Or better yet, I'd like to be able to define my own log keywords in suricata.yaml in order to direct debug, pcap, or http logging at different files for different rules.

outputs:
  - debug1
      format: alert-debug
      enabled: conditional # 'yes' - enable for all alerts, 'no' - disable, 'conditional' - enable for rules using a log keyword
      filename: alert-debug1.log
      append: yes
      filetype: regular
  - sinkhole-http
      format: http-log
      enabled: conditional
      filename: sinkhole-http.log
      append: yes

alert tcp $HOME_NET any -> $SINKHOLE_NET 80 (msg:"Sinkhole HTTP"; content:"GET /"; log:sinkhole-http;)
alert tcp any 84 -> $HOME_NET any (msg:"Investigating strange traffic"; log:debug1;)

Related issues 2 (2 open0 closed)

Related to Suricata - Feature #1005: conditional logging: controlling what gets loggedAssignedVictor JulienActions
Related to Suricata - Feature #4172: Split eve.json into multiple files based on alert severityNewOISF DevActions

VJ Updated by Victor Julien over 12 years ago Actions
Copy link
 #1

  • Target version set to TBD

AH Updated by Andreas Herz over 10 years ago Actions
Copy link
 #2

  • Assignee set to OISF Dev

AH Updated by Andreas Herz almost 9 years ago Actions
Copy link
 #3

  • Related to Feature #1005: conditional logging: controlling what gets logged added

AH Updated by Andreas Herz almost 9 years ago Actions
Copy link
 #4

  • Related to Feature #1005: conditional logging: controlling what gets logged added

AH Updated by Andreas Herz almost 9 years ago Actions
Copy link
 #5

  • Related to deleted (Feature #1005: conditional logging: controlling what gets logged)

VJ Updated by Victor Julien over 7 years ago Actions
Copy link
 #6

  • Assignee changed from OISF Dev to Anonymous
  • Effort set to medium
  • Difficulty set to high

AH Updated by Andreas Herz about 7 years ago Actions
Copy link
 #7

  • Assignee set to Community Ticket

VJ Updated by Victor Julien over 6 years ago Actions
Copy link
 #8

What about a option to make a logger depend on the presence of a flowbit? Then rules can set this.

VJ Updated by Victor Julien over 6 years ago Actions
Copy link
 #9

  • Subject changed from Conditional logging to conditional logging: output steering

VJ Updated by Victor Julien over 5 years ago Actions
Copy link
 #10

  • Related to Feature #4172: Split eve.json into multiple files based on alert severity added

PA Updated by Philippe Antoine over 2 years ago Actions
Copy link
 #11

Not sure I get this log rules keyword expected functionality

I think there are metadata keywords that can be used in post processing json to split the output

Actions
Copy link

Also available in: PDF Atom