From 74e036d09f0dcd81b14bc59bbadc665d3da4e8fc Mon Sep 17 00:00:00 2001 From: Jason Ish Date: Tue, 30 Jan 2018 15:09:17 -0600 Subject: [PATCH] doc: update eve/alert/metadata configuration --- doc/userguide/output/eve/eve-json-output.rst | 52 ++++++++------------ doc/userguide/partials/eve-log.yaml | 36 +++++++------- 2 files changed, 39 insertions(+), 49 deletions(-) diff --git a/doc/userguide/output/eve/eve-json-output.rst b/doc/userguide/output/eve/eve-json-output.rst index ca5e96dc62..d137f7ec03 100644 --- a/doc/userguide/output/eve/eve-json-output.rst +++ b/doc/userguide/output/eve/eve-json-output.rst @@ -47,47 +47,35 @@ Output types:: Alerts ~~~~~~ -Alerts are event records for rule matches. They can be ammended with metadata, -such as the HTTP record an alert was generated for. +Alerts are event records for rule matches. They can be ammended with +metadata, such as the application layer record (HTTP, DNS, etc) an +alert was generated for, and elements of the rule. Metadata:: - alert: - # payload: yes # enable dumping payload in Base64 - # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log - # payload-printable: yes # enable dumping payload in printable (lossy) format - # packet: yes # enable dumping of packet (without stream segments) - # http-body: yes # enable dumping of http body in Base64 - # http-body-printable: yes # enable dumping of http body in printable format - # rule: yes # enable dumping of signature definition - metadata: yes # add L7/applayer fields, flowbit and other vars to the alert - -Alternatively to the `metadata` key it is also possible to select the application -layer metadata to output on a per application layer basis :: + #payload: yes # enable dumping payload in Base64 + #payload-buffer-size: 4kb # max size of payload buffer to output in eve-log + #payload-printable: yes # enable dumping payload in printable (lossy) format + #packet: yes # enable dumping of packet (without stream segments) + #http-body: yes # enable dumping of http body in Base64 + #http-body-printable: yes # enable dumping of http body in printable format - - alert: - http: yes # enable dumping of http fields - tls: yes # enable dumping of tls fields - ssh: yes # enable dumping of ssh fields - smtp: yes # enable dumping of smtp fields - dnp3: yes # enable dumping of dnp3 fields - flow: yes # enable dumping of a partial flow entry - vars: yes # enable dumping of flowbits and other vars + # metadata: -The `vars` will enable dumping of a set of key/value based on flowbits and other vars -such as named groups in regular expression. + # Include the decoded application layer (ie. http, dns) + #app-layer: true -It is also possible to log key/value pairs defined by the metadata keyword on rule. To -do so you need to set `enabled` to yes under `rule-metadata` :: + # Log the the current state of the flow record. + #flow: true - - alert: - metadata: yes # add L7/applayer fields, flowbit and other vars to the alert - rule-metadata: # dumping of key/value pairs defined by metadata keyword of rule - enabled: yes # set to yes to enable - output-array: no # output value of key as an array - array-keys: [tag] # comma separated array of keys to output as array + #rule: + # Log the metadata field from the rule in a structured + # format. + #metadata: true -This will add a `alert.metadata` object in the alert event. + # Log the raw rule text. + #raw: false DNS ~~~ diff --git a/doc/userguide/partials/eve-log.yaml b/doc/userguide/partials/eve-log.yaml index b50620f972..54633b76ad 100644 --- a/doc/userguide/partials/eve-log.yaml +++ b/doc/userguide/partials/eve-log.yaml @@ -38,28 +38,30 @@ outputs: # http-body: yes # enable dumping of http body in Base64 # http-body-printable: yes # enable dumping of http body in printable format - # rule: yes # enable dumping of signature definition + # Enable the logging of tagged packets for rules using the + # "tag" keyword. + tagged-packets: yes - # Include extra data in alert records like the app-layer - # information and flow records. Default: yes. - #metadata: yes + # Configure the metadata to be logged along with an + # alert. The following shows the default configuration + # which is used if this field is not provided or simply + # set to a truthful value. Setting of this section is only + # required if you wish to enable/disable specific fields. + #metadata: - # If metadata is false this will enable logging of the - # associated app-layer with the alert record. - #app-layer: yes + # Include the decoded application layer (ie. http, dns) + app-layer: true - # If metadata is false this will enable logging of the flow - # record with the alert record. - #flow: yes + # Log the the current state of the flow record. + flow: true - # Enable the logging of tagged packets for rules using the - # "tag" keyword. - tagged-packets: yes + rule: + # Log the metadata field from the rule in a structured + # format. + metadata: true - rule-metadata: # dumping of key/value pairs defined by metadata keyword of rule - enabled: no # set to yes to enable - output-array: no # output value of key as an array - array-keys: [tag] # comma separated array of keys to output as array + # Log the raw rule text. + raw: false # HTTP X-Forwarded-For support by adding an extra field or overwriting # the source or destination IP address (depending on flow direction) -- 2.47.2