How to remove the log header when send suricata alerts

Started by tameribrahim, August 05, 2022, 02:09:46 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 05, 2022, 02:09:46 PM
Hello,


Please i need help here, i want to send suricata alerts/logs using eve without the log header.

i want to send the following logs without this line <174>Aug  5 15:56:41 OPNsense.net suricata[49763]:


<174>Aug  5 15:56:41 OPNsense.net suricata[49763]:
{
  "timestamp": "2022-08-05T15:56:41.024807+0400",
  "flow_id": 297267663278777,
  "in_iface": "em5",
  "event_type": "alert",
  "src_ip": "10.10.20.2",
  "src_port": 65292,
  "dest_ip": "206.221.181.253",
  "dest_port": 5553,
  "proto": "TCP",
  "alert": {
    "action": "allowed",
    "gid": 1,
    "signature_id": 2017419,
    "rev": 2,
    "signature": "ET MALWARE Bladabindi/njrat CnC Checkin",
    "category": "Malware Command and Control Activity Detected",
    "severity": 1,
    "metadata": {
      "created_at": [
        "2013_09_05"
      ],
      "former_category": [
        "MALWARE"
      ],
      "updated_at": [
        "2013_09_05"
      ]
    }
  },
  "flow": {
    "pkts_toserver": 3,
    "pkts_toclient": 1,
    "bytes_toserver": 437,
    "bytes_toclient": 66,
    "start": "2022-08-05T15:56:41.004793+0400"
  }
}


Thanks a lot
August 05, 2022, 05:11:06 PM #1
Hi
could you clarify your goal please? (it's syslog message (RFC5424) header) i think eve.json files (/var/log/suricata) contains event details only
August 06, 2022, 07:04:58 AM #2
The goal is to send suricata raw logs to in json format to another system , that can only read json documents, but that header blocking that system form doing so. also it is not possible to filter that header at that system.

think about raw log forwarding alike.
August 11, 2022, 04:55:18 PM #3
Quotegoal is to send suricata raw logs to in json format to another system
sorry, how are you planning to send these logs?
Print
Go Up Pages1
User actions