Logging different kind of logs in different EVE files

Lyonid · June 11, 2020, 9:48am

Goodmorning everyone!
Is there a way to have different kind of EVE logs in different files? Like, alerts logs in eve.json, http logs in eve1.json, dns logs in eve2.json and so on?
Thanks in advance

syoc · June 11, 2020, 10:57am

Yes. Just do multiple eve-log definitions:

outputs:
     eve-log:
          filename: dns.log
          enabled:yes
          types:
                - dns
     eve-log:
              [....]

Lyonid · June 11, 2020, 11:16am

I tried before asking but I got something like a “unexpected key in suricata.yaml” error. I just supposed it couldn’t be that easy, but seing your answer I retried and it works. Guess I wrote it wrong the first time. Thanks!

Topic		Replies	Views
Eve.json only shows "event_type":"flow" Help	7	1583	October 22, 2020
Missing event data from Eve log Help	5	983	October 1, 2020
Eve.json with 'weird' output and no ALERTS Help	1	482	December 8, 2021
Eve.json filename options Help suricata	7	454	August 7, 2023
Extensible Event Format logs issue	4	77	March 27, 2024

Logging different kind of logs in different EVE files

Related Topics