Hi,
I’m trying to figure out if it’s still possible to have Suricata append the hostname of the machine under which it is running: output-json: add sensor-name config variable · OISF/suricata@60ea49c · GitHub
Thank you
Have you tried setting the sensor-name field manually? Eve does not have a field automatically populated with the hostname.
If you use a logshipper to forward events/alerts to other tools, normally this field will be added.
Hi Jason. I have not, no. I read that if I don’t add a name to that field it will be populated with the hostname of the machine. Are you aware of that is the case?
I’ll try adding that field to my config and see if it shows up on eve.
Would be awesome to have this feature and not rely on other log ship.
Generally no. The redis output may add that, but its not in there by default when eve is written to a file.
Hi Jason! Thank you for keeping coming back to me.
Just to make sure I understand: at the very best, if I add sensor-name in my config, along with a value, I’ll get that in my eve. But even if I add sensor-name without value, it will not populate automatically with the hostname of the machine?
Correct, you must provide it a value. It actually comes out in the eve log under the host field which is unfortunatley not compatible with Filebeat if using that – Filebeat will overwrite this field with this own host object.