How to remove the log header when send suricata alerts

[tameribrahim]

Hello,


Please i need help here, i want to send suricata alerts/logs using eve without the log header.

i want to send the following logs without this line <174>Aug  5 15:56:41 OPNsense.net suricata[49763]:


<174>Aug  5 15:56:41 OPNsense.net suricata[49763]:
{
  "timestamp": "2022-08-05T15:56:41.024807+0400",
  "flow_id": 297267663278777,
  "in_iface": "em5",
  "event_type": "alert",
  "src_ip": "10.10.20.2",
  "src_port": 65292,
  "dest_ip": "206.221.181.253",
  "dest_port": 5553,
  "proto": "TCP",
  "alert": {
    "action": "allowed",
    "gid": 1,
    "signature_id": 2017419,
    "rev": 2,
    "signature": "ET MALWARE Bladabindi/njrat CnC Checkin",
    "category": "Malware Command and Control Activity Detected",
    "severity": 1,
    "metadata": {
      "created_at": [
        "2013_09_05"
      ],
      "former_category": [
        "MALWARE"
      ],
      "updated_at": [
        "2013_09_05"
      ]
    }
  },
  "flow": {
    "pkts_toserver": 3,
    "pkts_toclient": 1,
    "bytes_toserver": 437,
    "bytes_toclient": 66,
    "start": "2022-08-05T15:56:41.004793+0400"
  }
}


Thanks a lot

[Fright]

Hi
could you clarify your goal please? (it's syslog message (RFC5424) header) i think eve.json files (/var/log/suricata) contains event details only

[tameribrahim]

The goal is to send suricata raw logs to in json format to another system , that can only read json documents, but that header blocking that system form doing so. also it is not possible to filter that header at that system.

think about raw log forwarding alike.

[Fright]

goal is to send suricata raw logs to in json format to another system

sorry, how are you planning to send these logs?