Please include the following information with your help request:
- Suricata version
- Operating system and/or Linux distribution
- How you installed Suricata (from source, packages, something else)
I have just installed Suricata 8, with the intentions of forwarding logs to Splunk. It sits within the core switch, so has high visibility on the traffic through our network.
Perhaps I’m going about this the wrong way, but currently eve.json is being forwarded to splunk via syslog. but the amount of logs is immense. My hope is to refine what is being logged, but I’m struggling with refining certain things.
I can completely cut out particular event types just fine by removing it within the suricata.yml file. But is it at all possible to get granular within a particular event type. Say for instance, if I want to not log dns traffic between particular end points. I have spent a fair amount of time consulting forums, and also different AI platforms. AI keeps providing suggestions with log spression, or creating local.rules entries that either pass/drop what I want, but the end result is the information still shows up in eve.log after I apply the changes and restart. After quite a bit of back and forth, these AI platforms seem to hint that what I wish to do may not be possible. That you log all dns, or you don’t.
I am using Suricata 8.0.0 running on Ubuntu Server 24.04.3. And I installed it directly thorough apt get repository. Hope this all makes sense?