Hi,
Is there a way to configure suricata to log a message when a flow (alerted flows only, in my case) have closed? If not by configuration, is this feasible to do with a Lua plugin? Or other ideas?
Thanks!
The eve event_type flow logs closed flows, and it will have flow.alerted set to true if there has been an alert in that flow.
e.g.
tail -f /var/log/suricata/eve.json |jq -c 'select(.event_type=="flow" and .flow.alerted==true)'
There is no option to log just the flows with an alert, but in post processing it should be easy to filter the non-alerting flows out.
1 Like