Hi. I dont understand how to exclude field “Event type Flow” from eve.json.
My configuration output, version 7:
- eve-log:
enabled: yes
filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
filename: eve.json
community-id: true
community-id-seed: 0
types:
- alert:
payload-printable: yes
http-body-printable: yes
- anomaly:
enabled: yes
types:
applayer: yes
- stats:
totals: yes
But i get event type flow in log file:
{"timestamp":"XXXXXX","flow_id":725964770736380,"in_iface":"XXXXX","event_type":"alert","vlan":[XXX],"src_ip":"XXXX","src_port":55954,"dest_ip":"XXXXX","dest_port":443,"proto":"TCP","pkt_src":"wire/pcap","community_id":"1:VRzSSyXTQwokqTTAblhs9domRek=","alert":{"action":"allowed","gid":1,"signature_id":2210029,"rev":2,"signature":"SURICATA STREAM ESTABLISHED invalid ack","category":"Generic Protocol Command Decode","severity":3},"direction":"to_server","flow":{"pkts_toserver":2371,"pkts_toclient":4287,"bytes_toserver":163290,"bytes_toclient":6160181,"start":"XXXXXX","src_ip":"XXXXX","dest_ip":"XXXXX","src_port":55954,"dest_port":443},"payload_printable":"","stream":0,"host":"XXXXXX"}",
What i doing wrong?
