Hi, I am currently using the Suricata socket client (suricatasc) to send pcap files to Suricata. Here is how my eve.json file is configured in
- eve-log: enabled: yes filetype: regular #filename: eve-alerts-%Y-%m-%d-%H:%M:%S.json filename: eve-alerts-%s.json rotate-interval: minute types: - alert: payload: yes packet: yes metadata: yes tagged-packets: yes
Currently, a separate timestamped eve.json file is created for each pcap that is sent to Suricata:
Is my eve.json configuration the recommended way to create a separate eve.json file for each pcap? I was thrown off because it seems that the Suricata is ignoring the
rotate-interval: minute value. A new eve.json file was not created to every minute, but after ever new pcap file was processed.