I have set eve logs to Alert (level: Alert) and made sure that under types: all like anomaly, http, dns, tls, files, smtp etc disabled except Alerts and stats.
When I send tls traffic I can still see tls logs (“event_type”: “tls”) as part if eve.json file.
when I try to set level to Alert I should see only Alert logs, Am I missing anything here.
Can you share the eve-log section of your yaml here?
the level setting only applies to syslog I think, but since the filetype is regular, it won’t have any effect. It is not an event type filter. To only have alerts, comment out the other things from the types list. Simply something like
outputs:
- eve-log:
enabled: yes
filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
filename: eve.json
ethernet: yes # log ethernet header in events when available
types:
- alert:
# payload: yes # enable dumping payload in Base64
# payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
# payload-printable: yes # enable dumping payload in printable (lossy) format
# packet: yes # enable dumping of packet (without stream segments)
# metadata: no # enable inclusion of app layer metadata with alert. Default yes
# http-body: yes # Requires metadata; enable dumping of HTTP body in Base64
# http-body-printable: yes # Requires metadata; enable dumping of HTTP body in printable format
# Enable the logging of tagged packets for rules using the
# "tag" keyword.
tagged-packets: yes