Retrieve metadata only related to alerts

AntoninHL · June 5, 2023, 5:19pm

Hello everyone,
I’m looking for a simple and effective way to configure Suricata to retrieve only metadata related to alerts.
Does put the parameter
metadata:yes
in the type alert config lines of the - eve-log: section
can be enough?

Thank you in advance for your help.

sbhardwaj · June 8, 2023, 9:08am

Hi! Welcome to our forum!

Seems like eve-log.types.alert.metadata is set to yes by default. Have you tried checking your alerts for any metadata?
Let us know if you’re looking for something specific in the alert metadata.

Topic		Replies	Views
How to config YMAL to show only alerts with events Help suricata	1	680	February 23, 2023
Metadata of eve.json in the file fast.log Help	3	1156	January 30, 2021
Discussion about Suricata Help rules	3	286	January 17, 2023
Eve.json only shows "event_type":"flow" Help	7	1385	October 22, 2020
Probe identification inside regular Eve-log Help events	1	278	July 21, 2023

Retrieve metadata only related to alerts

Related Topics