From: Jason Ish Date: Thu, 25 Jan 2018 14:52:47 +0000 (-0600) Subject: doc: update eve-log section for metadata X-Git-Tag: suricata-4.1.0-beta1~253 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0e02684634f82b76b3425b84d80fb376b94b30a4;p=thirdparty%2Fsuricata.git doc: update eve-log section for metadata --- diff --git a/doc/userguide/configuration/suricata-yaml.rst b/doc/userguide/configuration/suricata-yaml.rst index a1567fb252..7476c66cb8 100644 --- a/doc/userguide/configuration/suricata-yaml.rst +++ b/doc/userguide/configuration/suricata-yaml.rst @@ -301,16 +301,20 @@ integration with 3rd party tools like logstash. # pipelining: # enabled: yes ## set enable to yes to enable query pipelining # batch-size: 10 ## number of entry to keep in buffer + + # Include top level metadata. Default yes. + #metadata: no + types: - alert: # payload: yes # enable dumping payload in Base64 # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log # payload-printable: yes # enable dumping payload in printable (lossy) format # packet: yes # enable dumping of packet (without stream segments) - http: yes # enable dumping of http fields - tls: yes # enable dumping of tls fields - ssh: yes # enable dumping of ssh fields - smtp: yes # enable dumping of smtp fields + + # http-body: yes # enable dumping of http body in Base64 + # http-body-printable: yes # enable dumping of http body in printable format + metadata: yes # add L7/applayer fields, flowbit and other vars to the alert # Enable the logging of tagged packets for rules using the # "tag" keyword. @@ -382,6 +386,9 @@ integration with 3rd party tools like logstash. - flow # uni-directional flows #- netflow + # An event for logging metadata, specifically pktvars when + # they are set, but will also include the full metadata object. + #- metadata For more advanced configuration options, see :ref:`Eve JSON Output `.