HTTP request header And HTTP response header NOT IN eve.json


  - eve-log:
      enabled: yes
      filetype: regular
      filename: eve.json
      metadata: yes
      pcap-file: false
      community-id: false
      community-id-seed: 0
        enabled: no
        mode: extra-data
        deployment: reverse
        header: X-Forwarded-For
        - alert:
            # payload: yes
            payload-buffer-size: 4kb
            payload-printable: yes
            # packet: yes
            metadata: yes
            # http-body: yes
            http-body-printable: yes
            tagged-packets: yes


    "timestamp": "2023-06-29T09:16:12.530193+0000",
    "flow_id": 19463917013036,
    "in_iface": "ens32",
    "event_type": "alert",
    "src_ip": "",
    "src_port": 49491,
    "dest_ip": "",
    "dest_port": 80,
    "proto": "TCP",
    "tx_id": 0,
    "alert": {
        "action": "allowed",
        "gid": 1,
        "signature_id": 1,
        "rev": 1,
        "signature": "Access",
        "category": "Default alert rule",
        "severity": 10,
        "metadata": {
            "attack_level": [
            "attck_x": [
            "attck_y": [
            "created_at": [
            "response": [
    "http": {
        "hostname": "",
        "url": "/",
        "http_user_agent": "PostmanRuntime/7.31.1",
        "http_content_type": "text/html",
        "http_method": "POST",
        "protocol": "HTTP/1.1",
        "status": 404,
        "length": 952,
        "http_request_body_printable": "balabala",
        "http_response_body_printable": "<html>   \r\n<head>   \r\n<title>..................</title>   \r\n<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" />   \r\n</head>   \r\n<body>   \r\n.\r\n\r\n<div align=\"center\">\r\n.......................................\r\n  ...</div>\r\n<div align=\"center\">\r\n  <font style=\"BACKGROUND-COLOR: #fffffd\" color=\"#0000ff\" size=\"4\"></font></div>\r\n\r\n\r\n\r\n<table>   \r\n  <tbody>   \r\n    <tr>   \r\n      <td>   \r\n     \r\n      <hr>      </td>   \r\n    </tr>   \r\n    <tr>   \r\n      <td></td>   \r\n    </tr>   \r\n    <tr>   \r\n      <td>   \r\n     </TD>   \r\n    </TR>   \r\n      <TD>   \r\n      <HR>      </TD>   \r\n    </TR>   \r\n  </TBODY>   \r\n</TABLE>   \r\n\r\n<table>   \r\n  <tbody>   \r\n    <tr>   \r\n      <td>   \r\n     \r\n      <hr>      </td>   \r\n    </tr>   \r\n    <tr>   \r\n      <td></td>   \r\n    </tr>   \r\n    <tr>   \r\n      <td>   \r\n     </TD>   \r\n    </TR>   \r\n      <TD>   \r\n      <HR>      </TD>   \r\n    </TR>   \r\n  </TBODY>   \r\n</TABLE>  \r\n\r\n  \r\n\r\n</body>   \r\n</html>"
    "files": [
            "filename": "/",
            "sid": [],
            "gaps": false,
            "state": "CLOSED",
            "stored": false,
            "size": 8,
            "tx_id": 0
    "app_proto": "http",
    "flow": {
        "pkts_toserver": 4,
        "pkts_toclient": 4,
        "bytes_toserver": 524,
        "bytes_toclient": 1372,
        "start": "2023-06-29T09:16:12.526380+0000"
    "payload_printable": "POST / HTTP/1.1\r\nContent-Type: text/plain\r\nUser-Agent: PostmanRuntime/7.31.1\r\nAccept: */*\r\nPostman-Token: 64706fb9-23d7-40b4-8ae7-e2d805d93413\r\nHost:\r\nAccept-Encoding: gzip, deflate, br\r\nConnection: keep-alive\r\nContent-Length: 8\r\n\r\nbalabala",
    "stream": 1

I want the request and response headers to be displayed in “http”, but they are not included above.

I hope eve.log to look like this.


I believe the settings you’re looking for are mentioned in 16.1.1. Eve JSON Output — Suricata 6.0.13 documentation
Could you please try this and let us know if you’re able to see the headers then?

Thanks for your answer, I know the configuration item of this document, but it doesn’t match my expectation. I hope that the HTTP Request Header and HTTP Response Header are included in the JSON of the ALERT instead of a separate JSON.

So, you get request_headers for event_type==http, but not for event_type==alert

Do I get this correctly ?

Yes! I want the request_headers to be in event_type==alert.

Indeed, it is not the case, it would be a new feature

EveHttpAddMetadata (for alert events) does not call EveHttpLogJSONHeaders as EveHttpLogJSON (for http event) does

I think this is because the alert logger does not know about the value of the flag LOG_HTTP_REQ_HEADERS (which comes from parsing the suricata.yaml at the http event logger initialization)

Could you create a redmine ticket for this feature ? And a contribution would be welcome

I’m very sorry, I’m currently limited, so I can’t help you with this.

Thank you very much!
I’m looking forward to it!