mce1376
September 30, 2020, 12:12pm
1
Hi
Can anyone tell me why I’m getting different data in two eve logs I have setup?
I have the following log outputs configured:
eve-log:
eve-log:
I also have logging of payload enabled as follows:
types:
The payload data appears in the .json log as intended but when I monitor data sent to the socket I don’t see the payload here.
Why would this be?
Thanks?
ish
September 30, 2020, 4:53pm
2
This seems to work fine for me using 5.0.3 (and git master). Two thoughts come to mind:
The indentation of your yaml might be off, please double check.
Could the be getting truncated? Are you able to try unix_stream?
mce1376
September 30, 2020, 6:54pm
3
Indentation was off - Thanks
mce1376
September 30, 2020, 7:18pm
4
Apologies I was mistaken, the same behaviour remains.
This is actually the preferred behaviour as I have no need to send payload data to the socket. I just can’t understand how I’ve managed to accomplish it
Is it actually possible to configure this behaviour or does the addition of the payload configuration apply globally to all configured eve outputs?
Thanks,
ish
September 30, 2020, 9:52pm
5
Yes. With this config I have the payload being logged to a file, but not logged to the socket:
outputs:
- eve-log:
enabled: yes
filetype: regular
filename: eve.json
types:
- alert:
payload: yes
- eve-log:
enabled: yes
filetype: unix_dgram
filename: /tmp/eve.json
types:
- alert:
