Metadata of eve.json in the file fast.log

Norbby · January 15, 2021, 2:12pm

Hi all,

I send the data of the fast.log in a SIEM.
How can I get the contents of the line that triggered the alert from the eve.json file in the fast.log file ?

I have looked in the suricata.yaml file but I cannot get it to work. Do you have an example with which lines to uncomment?

Thank you

syoc · January 16, 2021, 9:33am

I don’t think you can enrich the fast.log file. You should probably, if possible, use the eve.json file for both rules and metadata logging.

vjulien · January 18, 2021, 11:04am

fast.log is a legacy format that we won’t extend. Like @syoc said, the best way is to start using the eve.json alert records.

Norbby · January 30, 2021, 4:26pm

Thks @syoc and @vjulien
I add another output .json in the suricata.yaml with only the alerts that I send in my SIEM.

Topic		Replies	Views
Rules and log files	1	1264	November 28, 2023
Fast.log not being written to Help suricata	13	145	September 9, 2024
Suricata does not generate the fast.log file Help	5	3033	October 7, 2020
Alert-debug.log not write Help	5	394	November 27, 2021
Suricata fast.log help!	0	22	January 11, 2025

Metadata of eve.json in the file fast.log

Related topics