There does not appear to be an option for esimport to give a sensor name.
I have several logical sensors (composed of more than one physical sensors) and I need to analyse the alerts separately. With barnyard there is a configuration option to give the sensor name.
One possible work around would be to have a different name for the eve.json file on each sensor as that does get logged. Another is to put the data into different indexes. Neither is ideal.
Suricata can be configured to log a sensor-name, see suricata/suricata.yaml.in at master · OISF/suricata · GitHub.
Its a bit unfortunate that it logs in the json file as host which conflicts iwth Filebeats concept of a host, but it might work for you provided you’re not mixing Logstash/Evebox added data with Filebeat added data.
I see the EveBox agent mode has a way to add custom field to each alert, but thats not in elastic-import. Time to unify these to tools at some point I think.
Thanks Jason! I missed that – since I am using evebox to import at the moment that will work for me. I generate my suricata.yaml file from and embedded ruby do using puppet which has the sensor name available. 10 second fix : )