Eve.json how to display only rules alert

Test · May 4, 2021, 1:13pm

I want eve.json contains only packages which trigger my rules, let’s say this one:
alert udp any any → any any (msg:“UDP GGA message found”; content: “GGA”; sid: 3000;)

At the moment this is the config of eve.json:

stats:
enabled: yes
interval: 8

outputs:

eve-log:
enabled: yes
filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
filename: eve.json
level: Alert ← I change this from “Info” to “Alert”

However I still get eve.json updated every 8 seconds (the interval) with the stats log like this:

{“timestamp”:“2021-05-04T12:55:44.548639+0000”,“event_type”:“stats”,“stats”: {etc… etc…}}

I tried to set stats.enabled: no but it gives an error on start up.
I also tried stats.decoder-events: false but it still write events every interval value seconds.

How can I avoid this?
Thank you in advance!

ish · May 4, 2021, 1:59pm

Look a little further down in the config under the eve-log section. You will see:

types:
  - alert: ...
  - anomaly: ...

this is where you can remove event types that you don’t want to see in the output.

Test · May 4, 2021, 2:29pm

Thak you so much!
That worked!

Topic		Replies	Views
Extensible Event Format logs issue	4	77	March 27, 2024
How to exclude Flow from eve-log Help events	2	557	August 23, 2023
Missing event data from Eve log Help	5	983	October 1, 2020
Is it possible to record pass event as well? Developers	2	374	June 20, 2021
Unexpectedly seeing alert records written to eve.json when pass rules are triggered Help	4	900	November 18, 2022

Eve.json how to display only rules alert

Related Topics