From 0e02684634f82b76b3425b84d80fb376b94b30a4 Mon Sep 17 00:00:00 2001 From: Jason Ish Date: Thu, 25 Jan 2018 08:52:47 -0600 Subject: [PATCH] doc: update eve-log section for metadata --- doc/userguide/configuration/suricata-yaml.rst | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/doc/userguide/configuration/suricata-yaml.rst b/doc/userguide/configuration/suricata-yaml.rst index a1567fb252..7476c66cb8 100644 --- a/doc/userguide/configuration/suricata-yaml.rst +++ b/doc/userguide/configuration/suricata-yaml.rst @@ -301,16 +301,20 @@ integration with 3rd party tools like logstash. # pipelining: # enabled: yes ## set enable to yes to enable query pipelining # batch-size: 10 ## number of entry to keep in buffer + + # Include top level metadata. Default yes. + #metadata: no + types: - alert: # payload: yes # enable dumping payload in Base64 # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log # payload-printable: yes # enable dumping payload in printable (lossy) format # packet: yes # enable dumping of packet (without stream segments) - http: yes # enable dumping of http fields - tls: yes # enable dumping of tls fields - ssh: yes # enable dumping of ssh fields - smtp: yes # enable dumping of smtp fields + + # http-body: yes # enable dumping of http body in Base64 + # http-body-printable: yes # enable dumping of http body in printable format + metadata: yes # add L7/applayer fields, flowbit and other vars to the alert # Enable the logging of tagged packets for rules using the # "tag" keyword. @@ -382,6 +386,9 @@ integration with 3rd party tools like logstash. - flow # uni-directional flows #- netflow + # An event for logging metadata, specifically pktvars when + # they are set, but will also include the full metadata object. + #- metadata For more advanced configuration options, see :ref:`Eve JSON Output `. -- 2.47.2