Overriding "default-output-filter:" in suracata.yaml at the outputs:->file level

We are new to suricata.
We would like to use, for logging, two output log files. The first would be the normal suricata.log. The second would filter out all lines except those that had a specific string - such as “end of file reached”. In the suricata.yaml file I tried creating a second “logging:->outputs:->file:” section with “filename: second.log”. I kept “default-output-filter:” as empty. I could not see any documentation on how to specify the filter at the file level (the comments just state that it “Can be overriden in an output section”) so I tried adding lines that start with “output-filter:” or “filter:”. They did not work - the result was an unfiltered second.log file. I should point out that overriding the format works OK, and overriding the filename works OK. Also, the “default-output-filter:”, when filled in, appears to work, but it applies the filter to both files. Does anyone know how to create a filter for a specific log file? Thanks. (Let me know if you need more information)

I’m interested in this use case too.

Looking at the comments in suricata.yaml it appears possible:

  # A regex to filter output.  Can be overridden in an output section.
  # Defaults to empty (no filter).
  # This value is overridden by the SC_LOG_OP_FILTER env var.

But I’ve been unable to get it to work for . Can we actually do this / am I misunderstanding something? Thanks.

What version are you running and can you post the suricata.yaml? There are a lot of detailed option to control each output section and what to log, so there might be an even easier way to approach this.

I am running version 6.0.8 on RHEL 7.6
I’ve uploaded the suricata.yaml file. I added a section for an additional log output file “suricata_eof.log”. I wanted to filter only lines that have the string “end” (eventually I want the filter to be “end of file”). It works for the default_log_filter but I made several attempts to just filter it for the suricata_eof.log and in all cases that log ended up being identical to the suricata.log file. Hope this helps.

suricata.yaml (73.2 KB)

So you’re talking about the suricata.log so the logging.outputs.file section?

There is the default-log-level that you can adjust but also you can use the default-output-filter and try to use regex.