Eve-log level settings?

suricataj · February 1, 2022, 5:47pm

Can anyone explain what the level is used for here? Is there a list of what the different levels actually change or do?

I am trying to make adjustments and to the eve log and reduce some of the noise. I know that there are sections for -alerts and more below this section but I am trying to understand what level is used for.

eve-log:
enabled: yes
filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
filename: eve.json
# Enable for multi-threaded eve.json output; output files are amended
# with an identifier, e.g., eve.9.json
#threaded: false
#prefix: "@cee: " # prefix to prepend to each log entry
# the following are valid when type: syslog above
#identity: “suricata”
#facility: local5
#level: Info ## possible levels: Emergency, Alert, Critical,
## Error, Warning, Notice, Info, Debug

Jeff_Lucovsky · February 2, 2022, 1:37pm

level only applies when EVE entries are sent to syslog. Syslog uses level classifications to determine the handling of each message. Levels are builtin to syslog and are also referred to as severity levels. See Syslog - Wikipedia

To reduce “noise”, ensure that you’re only logging what you need. Each of the listed protocols in the output section can be disabled. You can also use “thresholds” to limit how often alerts are logged; see 6.31. Thresholding Keywords — Suricata 6.0.4 documentation

Topic		Replies	Views
Logging different kind of logs in different EVE files Help	2	1464	June 11, 2020
Eve.json severity:1 Help	4	242	February 5, 2024
Extensible Event Format logs issue	4	77	March 27, 2024
Interface in eve log Help	9	4562	June 1, 2020
Severity levels in eve.json Rules rules , suricata	3	420	April 13, 2024

Eve-log level settings?

Related topics