Suricata 6.0.0 not displaying payload and http-body fields in alerts


Even if the following fields are set to “yes” in Suricata 6.0.0 configuration file, the following fields are missing in the alerts raised :

  • payload
  • payload-printable
  • http-body
  • http-body-printable

whereas they are existing when using a previous version (Suricata 4.x) with the same configuration.

Do you have any idea of the reason of this strange behaviour ?

Thank you

Can you post your configuration file?

I am unable to reproduce the issue after changing the settings – here’s the types section from outputs.eve-log that produces the desired results with my setup:

        - alert:
            payload: yes             # enable dumping payload in Base64
            # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
            payload-printable: yes   # enable dumping payload in printable (lossy) format
            # packet: yes              # enable dumping of packet (without stream segments)
            # metadata: no             # enable inclusion of app layer metadata with alert. Default yes
            http-body: yes           # Requires metadata; enable dumping of HTTP body in Base64
            http-body-printable: yes # Requires metadata; enable dumping of HTTP body in printable format

            # Enable the logging of tagged packets for rules using the
            # "tag" keyword.
            tagged-packets: yes


It seems that there was an indentation problem (a missing space before " payload: yes").
But there were no parsing errors in the logs anyway.

With the proper indentation, the payload are displayed.

Thank you for your help.