Hello, I have configured Suricata to exclusively capture and log HTTP traffic. While this setup is functioning as intended, I have encountered an issue: all logs are being saved in http.log, which prevents me from sending them to my SIEM. Would it be possible to modify the configuration so that the logs are saved as eve.json instead?
Did you remove the eve-log section in your suricata.yaml? (suricata/suricata.yaml.in at master · OISF/suricata · GitHub)
You’ll want to keep it, then in the types: section, remove the types you don’t want, leaving http.
Hello @ish I turned it on again but now Suricata creates 2 files one named http and one named eve. Will everything in http be stored in EVE aswell ?
Also when i started this i got alot of “suricata messages” , is there a way to get rid of them, all i want to see is http nothing more
eve is the most comprehensive logging format we have.It will include all that goes into http.log and more. Its very tunable, out of the box it logs most of our event types, but you can strip it down to just http. That should get rid of these “suricata messages”, which I’m going to assume are just our other log types.