Retrieve metadata only related to alerts

AntoninHL · June 5, 2023, 5:19pm

Hello everyone,
I’m looking for a simple and effective way to configure Suricata to retrieve only metadata related to alerts.
Does put the parameter
metadata:yes
in the type alert config lines of the - eve-log: section
can be enough?

Thank you in advance for your help.

sbhardwaj · June 8, 2023, 9:08am

Hi! Welcome to our forum!

Seems like eve-log.types.alert.metadata is set to yes by default. Have you tried checking your alerts for any metadata?
Let us know if you’re looking for something specific in the alert metadata.

Topic		Replies	Views
How to config YMAL to show only alerts with events Help suricata	1	900	February 23, 2023
Metadata of eve.json in the file fast.log Help	3	1291	January 30, 2021
Discussion about Suricata Help rules	3	323	January 17, 2023
Eve.json only shows "event_type":"flow" Help	7	1633	October 22, 2020
Not alerts are triggered in suricata V 6.0.13	7	481	August 28, 2023

Retrieve metadata only related to alerts

Related topics