Metadata of eve.json in the file fast.log

Norbby · January 15, 2021, 2:12pm

Hi all,

I send the data of the fast.log in a SIEM.
How can I get the contents of the line that triggered the alert from the eve.json file in the fast.log file ?

I have looked in the suricata.yaml file but I cannot get it to work. Do you have an example with which lines to uncomment?

Thank you

syoc · January 16, 2021, 9:33am

I don’t think you can enrich the fast.log file. You should probably, if possible, use the eve.json file for both rules and metadata logging.

vjulien · January 18, 2021, 11:04am

fast.log is a legacy format that we won’t extend. Like @syoc said, the best way is to start using the eve.json alert records.

Norbby · January 30, 2021, 4:26pm

Thks @syoc and @vjulien
I add another output .json in the suricata.yaml with only the alerts that I send in my SIEM.

Topic		Replies	Views
Rules and log files	1	278	November 28, 2023
Suricata does not generate the fast.log file Help	5	2715	October 7, 2020
Alert-debug.log not write Help	5	309	November 27, 2021
How to config YMAL to show only alerts with events Help suricata	1	641	February 23, 2023
Is there a standard way to test all Suricata rules? Are there any sample EVE files I should use for testing? Developers rules , suricata	1	1606	October 26, 2022

Metadata of eve.json in the file fast.log

Related Topics