Hello,
Can someone please let me know how the following feature works in the yaml file?
#VLAN tracking
vlan:
use-for-tracking: true
Is the vlan id extracted from the packet header on the outflow when this option is configured? Is it possible to include vlan ids in the text for an alert? I do not wish to exclude any packets based upon a vlan id, but instead display the vlan id if one exists.
I would appreciate any insight on this topic.
Thank you
No extra configuration is required to log the VLAN ID if present, and the vlan.use-for-tracking setting does not affect the output. If an alert triggers on a packet that is VLAN tagged, you should see it in the eve.json. For example: