From: Jason Ish Date: Thu, 25 Jan 2018 22:20:32 +0000 (-0600) Subject: doc: breakout eve-log section to a partial file X-Git-Tag: suricata-4.1.0-beta1~249 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ab939f4aaa04adc32a5feb12d07c32afe7238046;p=thirdparty%2Fsuricata.git doc: breakout eve-log section to a partial file Both the suricata.yaml and eve configuration sections included the eve-log section from suricata.yaml. First, sync these up with the actual suricata.yaml then break it out into its own file, so only one file needs to be kept in sync with the actual configuration file. --- diff --git a/doc/userguide/configuration/suricata-yaml.rst b/doc/userguide/configuration/suricata-yaml.rst index 7476c66cb8..2f585d6021 100644 --- a/doc/userguide/configuration/suricata-yaml.rst +++ b/doc/userguide/configuration/suricata-yaml.rst @@ -273,122 +273,7 @@ Eve (Extensible Event Format) This is an JSON output for alerts and events. It allows for easy integration with 3rd party tools like logstash. -:: - - # Extensible Event Format (nicknamed EVE) event log in JSON format - - eve-log: - enabled: yes - filetype: regular #regular|syslog|unix_dgram|unix_stream|redis - filename: eve.json - #prefix: "@cee: " # prefix to prepend to each log entry - # the following are valid when type: syslog above - #identity: "suricata" - #facility: local5 - #level: Info ## possible levels: Emergency, Alert, Critical, - ## Error, Warning, Notice, Info, Debug - #redis: - # server: 127.0.0.1 - # port: 6379 - # async: true ## if redis replies are read asynchronously - # mode: list ## possible values: list|lpush (default), rpush, channel|publish - # ## lpush and rpush are using a Redis list. "list" is an alias for lpush - # ## publish is using a Redis channel. "channel" is an alias for publish - # key: suricata ## key or channel to use (default to suricata) - # Redis pipelining set up. This will enable to only do a query every - # 'batch-size' events. This should lower the latency induced by network - # connection at the cost of some memory. There is no flushing implemented - # so this setting as to be reserved to high traffic suricata. - # pipelining: - # enabled: yes ## set enable to yes to enable query pipelining - # batch-size: 10 ## number of entry to keep in buffer - - # Include top level metadata. Default yes. - #metadata: no - - types: - - alert: - # payload: yes # enable dumping payload in Base64 - # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log - # payload-printable: yes # enable dumping payload in printable (lossy) format - # packet: yes # enable dumping of packet (without stream segments) - - # http-body: yes # enable dumping of http body in Base64 - # http-body-printable: yes # enable dumping of http body in printable format - metadata: yes # add L7/applayer fields, flowbit and other vars to the alert - - # Enable the logging of tagged packets for rules using the - # "tag" keyword. - tagged-packets: yes - - # HTTP X-Forwarded-For support by adding an extra field or overwriting - # the source or destination IP address (depending on flow direction) - # with the one reported in the X-Forwarded-For HTTP header. This is - # helpful when reviewing alerts for traffic that is being reverse - # or forward proxied. - xff: - enabled: no - # Two operation modes are available, "extra-data" and "overwrite". - mode: extra-data - # Two proxy deployments are supported, "reverse" and "forward". In - # a "reverse" deployment the IP address used is the last one, in a - # "forward" deployment the first IP address is used. - deployment: reverse - # Header name where the actual IP address will be reported, if more - # than one IP address is present, the last IP address will be the - # one taken into consideration. - header: X-Forwarded-For - - http: - extended: yes # enable this for extended logging information - # custom allows additional http fields to be included in eve-log - # the example below adds three additional fields when uncommented - #custom: [Accept-Encoding, Accept-Language, Authorization] - - dns: - # control logging of queries and answers - # default yes, no to disable - query: yes # enable logging of DNS queries - answer: yes # enable logging of DNS answers - # control which RR types are logged - # all enabled if custom not specified - #custom: [a, aaaa, cname, mx, ns, ptr, txt] - - tls: - extended: yes # enable this for extended logging information - # output TLS transaction where the session is resumed using a - # session id - #session-resumption: no - - files: - force-magic: no # force logging magic on all logged files - # force logging of checksums, available hash functions are md5, - # sha1 and sha256 - #force-hash: [md5] - #- drop: - # alerts: yes # log alerts that caused drops - # flows: all # start or all: 'start' logs only a single drop - # # per flow direction. All logs each dropped pkt. - - smtp: - #extended: yes # enable this for extended logging information - # this includes: bcc, message-id, subject, x_mailer, user-agent - # custom fields logging from the list: - # reply-to, bcc, message-id, subject, x-mailer, user-agent, received, - # x-originating-ip, in-reply-to, references, importance, priority, - # sensitivity, organization, content-md5, date - #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc] - # output md5 of fields: body, subject - # for the body you need to set app-layer.protocols.smtp.mime.body-md5 - # to yes - #md5: [body, subject] - - - ssh - - stats: - totals: yes # stats for all threads merged together - threads: no # per thread stats - deltas: no # include delta values - # bi-directional flows - - flow - # uni-directional flows - #- netflow - # An event for logging metadata, specifically pktvars when - # they are set, but will also include the full metadata object. - #- metadata +.. literalinclude:: ../partials/eve-log.yaml For more advanced configuration options, see :ref:`Eve JSON Output `. diff --git a/doc/userguide/output/eve/eve-json-output.rst b/doc/userguide/output/eve/eve-json-output.rst index 807b1579ce..8574d7c44e 100644 --- a/doc/userguide/output/eve/eve-json-output.rst +++ b/doc/userguide/output/eve/eve-json-output.rst @@ -7,117 +7,7 @@ Suricata can output alerts, http events, dns events, tls events and file info th The most common way to use this is through 'EVE', which is a firehose approach where all these logs go into a single file. - -:: - - # Extensible Event Format (nicknamed EVE) event log in JSON format - - eve-log: - enabled: yes - filetype: regular #regular|syslog|unix_dgram|unix_stream|redis - filename: eve.json - #prefix: "@cee: " # prefix to prepend to each log entry - # the following are valid when type: syslog above - #identity: "suricata" - #facility: local5 - #level: Info ## possible levels: Emergency, Alert, Critical, - ## Error, Warning, Notice, Info, Debug - #redis: - # server: 127.0.0.1 - # port: 6379 - # async: true ## if redis replies are read asynchronously - # mode: list ## possible values: list|lpush (default), rpush, channel|publish - # ## lpush and rpush are using a Redis list. "list" is an alias for lpush - # ## publish is using a Redis channel. "channel" is an alias for publish - # key: suricata ## key or channel to use (default to suricata) - # Redis pipelining set up. This will enable to only do a query every - # 'batch-size' events. This should lower the latency induced by network - # connection at the cost of some memory. There is no flushing implemented - # so this setting as to be reserved to high traffic suricata. - # pipelining: - # enabled: yes ## set enable to yes to enable query pipelining - # batch-size: 10 ## number of entry to keep in buffer - types: - - alert: - # payload: yes # enable dumping payload in Base64 - # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log - # payload-printable: yes # enable dumping payload in printable (lossy) format - # packet: yes # enable dumping of packet (without stream segments) - http: yes # enable dumping of http fields - tls: yes # enable dumping of tls fields - ssh: yes # enable dumping of ssh fields - smtp: yes # enable dumping of smtp fields - - # Enable the logging of tagged packets for rules using the - # "tag" keyword. - tagged-packets: yes - - # HTTP X-Forwarded-For support by adding an extra field or overwriting - # the source or destination IP address (depending on flow direction) - # with the one reported in the X-Forwarded-For HTTP header. This is - # helpful when reviewing alerts for traffic that is being reverse - # or forward proxied. - xff: - enabled: no - # Two operation modes are available, "extra-data" and "overwrite". - mode: extra-data - # Two proxy deployments are supported, "reverse" and "forward". In - # a "reverse" deployment the IP address used is the last one, in a - # "forward" deployment the first IP address is used. - deployment: reverse - # Header name where the actual IP address will be reported, if more - # than one IP address is present, the last IP address will be the - # one taken into consideration. - header: X-Forwarded-For - - http: - extended: yes # enable this for extended logging information - # custom allows additional http fields to be included in eve-log - # the example below adds three additional fields when uncommented - #custom: [Accept-Encoding, Accept-Language, Authorization] - - dns: - # control logging of queries and answers - # default yes, no to disable - query: yes # enable logging of DNS queries - answer: yes # enable logging of DNS answers - # control which RR types are logged - # all enabled if custom not specified - #custom: [a, aaaa, cname, mx, ns, ptr, txt] - - tls: - extended: yes # enable this for extended logging information - # custom allows to control which tls fields that are included - # in eve-log - #custom: [subject, issuer, fingerprint, sni, version, not_before, not_after, certificate, chain] - - - files: - force-magic: no # force logging magic on all logged files - # force logging of checksums, available hash functions are md5, - # sha1 and sha256 - #force-hash: [md5] - #- drop: - # alerts: yes # log alerts that caused drops - # flows: all # start or all: 'start' logs only a single drop - # # per flow direction. All logs each dropped pkt. - - smtp: - #extended: yes # enable this for extended logging information - # this includes: bcc, message-id, subject, x_mailer, user-agent - # custom fields logging from the list: - # reply-to, bcc, message-id, subject, x-mailer, user-agent, received, - # x-originating-ip, in-reply-to, references, importance, priority, - # sensitivity, organization, content-md5, date - #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc] - # output md5 of fields: body, subject - # for the body you need to set app-layer.protocols.smtp.mime.body-md5 - # to yes - #md5: [body, subject] - - - ssh - - stats: - totals: yes # stats for all threads merged together - threads: no # per thread stats - deltas: no # include delta values - # bi-directional flows - - flow - # uni-directional flows - #- netflow +.. literalinclude:: ../../partials/eve-log.yaml Each alert, http log, etc will go into this one file: 'eve.json'. This file can then be processed by 3rd party tools like Logstash or jq. diff --git a/doc/userguide/partials/eve-log.yaml b/doc/userguide/partials/eve-log.yaml new file mode 100644 index 0000000000..ee6436cf97 --- /dev/null +++ b/doc/userguide/partials/eve-log.yaml @@ -0,0 +1,131 @@ +outputs: + # Extensible Event Format (nicknamed EVE) event log in JSON format + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + #prefix: "@cee: " # prefix to prepend to each log entry + # the following are valid when type: syslog above + #identity: "suricata" + #facility: local5 + #level: Info ## possible levels: Emergency, Alert, Critical, + ## Error, Warning, Notice, Info, Debug + #redis: + # server: 127.0.0.1 + # port: 6379 + # async: true ## if redis replies are read asynchronously + # mode: list ## possible values: list|lpush (default), rpush, channel|publish + # ## lpush and rpush are using a Redis list. "list" is an alias for lpush + # ## publish is using a Redis channel. "channel" is an alias for publish + # key: suricata ## key or channel to use (default to suricata) + # Redis pipelining set up. This will enable to only do a query every + # 'batch-size' events. This should lower the latency induced by network + # connection at the cost of some memory. There is no flushing implemented + # so this setting as to be reserved to high traffic suricata. + # pipelining: + # enabled: yes ## set enable to yes to enable query pipelining + # batch-size: 10 ## number of entry to keep in buffer + + # Include top level metadata. Default yes. + #metadata: no + + types: + - alert: + # payload: yes # enable dumping payload in Base64 + # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log + # payload-printable: yes # enable dumping payload in printable (lossy) format + # packet: yes # enable dumping of packet (without stream segments) + # http-body: yes # enable dumping of http body in Base64 + # http-body-printable: yes # enable dumping of http body in printable format + + # Include extra data in alert records like the app-layer + # information and flow records. Default: yes. + #metadata: yes + + # If metadata is false this will enable logging of the + # associated app-layer with the alert record. + #app-layer: yes + + # If metadata is false this will enable logging of the flow + # record with the alert record. + #flow: yes + + # Enable the logging of tagged packets for rules using the + # "tag" keyword. + tagged-packets: yes + + # HTTP X-Forwarded-For support by adding an extra field or overwriting + # the source or destination IP address (depending on flow direction) + # with the one reported in the X-Forwarded-For HTTP header. This is + # helpful when reviewing alerts for traffic that is being reverse + # or forward proxied. + xff: + enabled: no + # Two operation modes are available, "extra-data" and "overwrite". + mode: extra-data + # Two proxy deployments are supported, "reverse" and "forward". In + # a "reverse" deployment the IP address used is the last one, in a + # "forward" deployment the first IP address is used. + deployment: reverse + # Header name where the actual IP address will be reported, if more + # than one IP address is present, the last IP address will be the + # one taken into consideration. + header: X-Forwarded-For + - http: + extended: yes # enable this for extended logging information + # custom allows additional http fields to be included in eve-log + # the example below adds three additional fields when uncommented + #custom: [Accept-Encoding, Accept-Language, Authorization] + - dns: + # control logging of queries and answers + # default yes, no to disable + query: yes # enable logging of DNS queries + answer: yes # enable logging of DNS answers + # control which RR types are logged + # all enabled if custom not specified + #custom: [a, aaaa, cname, mx, ns, ptr, txt] + - tls: + extended: yes # enable this for extended logging information + # output TLS transaction where the session is resumed using a + # session id + #session-resumption: no + # custom allows to control which tls fields that are included + # in eve-log + #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain] + - files: + force-magic: no # force logging magic on all logged files + # force logging of checksums, available hash functions are md5, + # sha1 and sha256 + #force-hash: [md5] + #- drop: + # alerts: yes # log alerts that caused drops + # flows: all # start or all: 'start' logs only a single drop + # # per flow direction. All logs each dropped pkt. + - smtp: + #extended: yes # enable this for extended logging information + # this includes: bcc, message-id, subject, x_mailer, user-agent + # custom fields logging from the list: + # reply-to, bcc, message-id, subject, x-mailer, user-agent, received, + # x-originating-ip, in-reply-to, references, importance, priority, + # sensitivity, organization, content-md5, date + #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc] + # output md5 of fields: body, subject + # for the body you need to set app-layer.protocols.smtp.mime.body-md5 + # to yes + #md5: [body, subject] + + # NFS logging. Requires Rust. + - nfs + - ssh + - stats: + totals: yes # stats for all threads merged together + threads: no # per thread stats + deltas: no # include delta values + # bi-directional flows + - flow + # uni-directional flows + #- netflow + + # An event for logging metadata, specifically pktvars when + # they are set, but will also include the full metadata object. + #- metadata