Is it possible to record pass event as well?

In eve.log we have the "event_type":"alert", but I want to know if it’s possible to record the pass event as well, i.e. if a packet hits a rule, write a log like “event_type”:“pass” to eve.log or a separate file, I know there’s a drop.log, maybe a new pass.log?

if not possible for now, what’s the fastest way to modify the source to achieve this?

I would argue to add it as a type to the eve json output as an option, like drop or include it in the alert type.

thanks for the suggestion! I have added a new “pass” log type(event type) under the eve-log output, it seems good

1 Like