Even if the following fields are set to “yes” in Suricata 6.0.0 configuration file, the following fields are missing in the alerts raised :
whereas they are existing when using a previous version (Suricata 4.x) with the same configuration.
Do you have any idea of the reason of this strange behaviour ?
Can you post your configuration file?
I am unable to reproduce the issue after changing the settings – here’s the
types section from
outputs.eve-log that produces the desired results with my setup:
payload: yes # enable dumping payload in Base64
# payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
payload-printable: yes # enable dumping payload in printable (lossy) format
# packet: yes # enable dumping of packet (without stream segments)
# metadata: no # enable inclusion of app layer metadata with alert. Default yes
http-body: yes # Requires metadata; enable dumping of HTTP body in Base64
http-body-printable: yes # Requires metadata; enable dumping of HTTP body in printable format
# Enable the logging of tagged packets for rules using the
# "tag" keyword.
It seems that there was an indentation problem (a missing space before " payload: yes").
But there were no parsing errors in the logs anyway.
With the proper indentation, the payload are displayed.
Thank you for your help.