Project

General

Profile

Documentation #3751

Updated by Juliana Fajardini Reichow about 2 months ago

It would be nice if the @suricata.yaml.in@ file -- and hence the default configuration file -- contained at least a commented out version of the detailed alert metadata configuration, i.e. the 

 <pre><code class="yaml"> 
 - alert: 
     #payload: yes               # enable dumping payload in Base64 
     #payload-buffer-size: 4kb # max size of payload buffer to output in eve-log 
     #payload-printable: yes     # enable dumping payload in printable (lossy) format 
     #packet: yes                # enable dumping of packet (without stream segments) 
     #http-body: yes             # Requires metadata; enable dumping of http body in Base64 
     #http-body-printable: yes # Requires metadata; enable dumping of http body in printable format 

     # metadata: 

       # Include the decoded application layer (ie. http, dns) 
       #app-layer: true 

       # Log the the current state of the flow record. 
       #flow: true 

       #rule: 
         # Log the metadata field from the rule in a structured 
         # format. 
         #metadata: true 

         # Log the raw rule text. 
         #raw: false 
 </code></pre> 


 The ReadtheDocs documentation shows it (https://suricata.readthedocs.io/en/latest/output/eve/eve-json-output.html#alerts) but the @suricata.yaml.in@ only shows the @metadata: yes/no@ switch (https://github.com/OISF/suricata/blob/master/suricata.yaml.in#L152). For someone who uses the example fileand its comments as option documentation (such as me) that's a bit inconvenient. 
 ------------ 

 Edit: this task will be considered completed when both the documentation and the suricata.yaml.in explanation comment clearly indicate what enabling or disabling @metadata@ means to the EVE output, and the metadata options. The documentation should ideally include one or more examples.

Back