Can I rename Suricata fields in Eve.json. And where I can get all possible fields

Help
1

Hi ,
I am creating a database using eve.json.
I want to rename few fields in eve.json , Can I do that .
If Yes , what’s the process .

Secondly not all fields are required at time but I want to include all the fields that eve.json can provide me so that in future if I enable something it doesn’t effect my database.
Where I can get a list of all fields possible in eve.json.

Thanks

2

You could start by proposing the field name changes in the forum (with an appropriate title) as a first step to see what folks are thinking. It’s possible that more folks share your thoughts on field renames.

We don’t have a definitive list of field names except in the code. Look at the output-json*.c modules as well as source code modules in rust/src/xxx/*.rs.

Many (but not all) fields are established with a function like jb_set_<type> or JB_SET in the src directory (C code). There are many places in rust/src where fields are created (but the function used is different).

The JSON builder code is 100% rust – see rust/src/jsonbuilder.rs

3

There is a Suricata-Verify pull request that has an almost complete (if not complete) JSON schema of eve.json… The pull request is GitHub ci jsonschema/v7 by catenacyber · Pull Request #590 · OISF/suricata-verify · GitHub), but here’s a link to the schema file that will give you all the fields and possible data types: suricata-verify/schema.json at c24bdd98c881af8f3e8a4d296d38872096bd5539 · OISF/suricata-verify · GitHub

We don’t provide any ability to rename fields in Suricata itself, thats often best left to external tools…

With respect to storing eve records in a database, I’ve had good luck using the JSON datatypes in PostgreSQL and SQLite.

4

Also just for info, some fields can be dynamically generated - like for example the ones resulting from enabling the dump-all-headers option in http : suricata/suricata.yaml.in at master · OISF/suricata · GitHub

5

There are several option on how to modify the json output of Suricata, one common approach is to do this in the logshipper, for example filebeat can rename fields.

it all dep