I send the data of the fast.log in a SIEM.
How can I get the contents of the line that triggered the alert from the eve.json file in the fast.log file ?
I have looked in the suricata.yaml file but I cannot get it to work. Do you have an example with which lines to uncomment?
I don’t think you can enrich the fast.log file. You should probably, if possible, use the eve.json file for both rules and metadata logging.
fast.log is a legacy format that we won’t extend. Like @syoc said, the best way is to start using the
eve.json alert records.
Thks @syoc and @vjulien
I add another output .json in the suricata.yaml with only the alerts that I send in my SIEM.