Having flowints and flow metadata in TLS Eve logs

Lyonid · June 12, 2020, 7:57am

Hi everyone.
Is there a way to have flowints and flow metadata (like to_server_pkts, to_client_bytes…) in a TLS Eve log? I tried setting

- tls:
    enabled: yes
    extended: yes
    metadata:
      flow: true

in my suricata.yaml, but logs are as they were without metadata.

ish · June 12, 2020, 3:51pm

I don’t think this is possible right now. The TLS record will have a flow_id that you can use to lookup the flow_record, however, the TLS record is likely to be logged during connection setup, but the flow log won’t be logged until the connection is done (or timed out), so it may not be available immediately.

Topic		Replies	Views
All possible Eve TLS log fields? Help	1	390	June 16, 2020
Eve.json only shows "event_type":"flow" Help	7	1351	October 22, 2020
Help Needed ! Suricata drops - ,"metadata":{"flowints":{"http.anomaly.count":1}}, Rules ips , rules	5	192	October 7, 2023
Enrichment for Application layer protocol related events Rules rules	2	766	August 4, 2021
Only Logging DNS traffic; tcpdump shows other traffic available Help	12	884	March 25, 2022

Having flowints and flow metadata in TLS Eve logs

Related Topics