Eve.json ingest to Splunk (over 100GB a day)

Looking for some general help, or somewhere to look into tuning for eve.json ingest into splunk. Trying to lower our ingest amount.

Currently using Suricata 4.1 (need to verify version, but do not think its 5.0) with SecurityOnion. In 10minutes was getting 11GB of ingested traffic.
-eve.json is enabled
-community-id is enabled
-added a seperate include file for variables.

  • Using the basic ET rules (with some basic tuning)

Should we be focusing on the enabled/disabled rule sets or is there something we should be doing in the yaml file?

This depends on what you want to achieve in the end, disabling rules that result just in FP and are noisy should be disabled. You should look into the ingest data and focus on what you want to get rid of without loosing too much visibility.

So we are using SecurityOnion and have both Zeek and Suricata data ingesting into Splunk currently. Looking over the differances between for example Zeek Http, and Suricata http, Zeek DnS and Suricata DNS to see which is the better to keep.

Also thinking of dropping the stats portion of the eve.json, and breaking it out into differant eve.jsons.

Another thing is there any issue with growing eve forever. Looking at log rotate just not implemented.

Hello. Having similar issue. Is it possible to disable flow logs?
thanks in advance

Hi. Just comment out the line in the configuration file.
Should be something like this line.

1 Like