I will like to reduce the EVE file size and only have alerts along with their associated events.
I just asked chatgtp and it took me to do the following - Is this correct?
outputs
- eve-log:
enabled: yes
filetype: regular
filename: eve.json
types:
- alert
- http
- tls
- dns
- smtp
- ssh
- stats
- alert:
enabled: yes
filename: /var/log/suricata/alerts.json
# Show alerts with events only
output.alert_with_payload: yes