Closed mounaBoo closed 5 years ago
jasonish
commented
5 years ago In your suricata.yaml you will want to enable payload and rule logging. So you'll want to update your outputs.eve-log to look something like:
outputs:
eve-log:
types:
- alert:
payload: yes
metadata:
rule:
metadata: true
raw: trueThis should add the rule and the payload to the eve record generated by Suricata. Then EveBox can show it.
mounaBoo
commented
5 years ago hello, I did exactly what you recommanded now I have this issue :
12/5/2019 -- 21:16:44 -
types:
- alert:
payload: yes # enable dumping payload in Base64
# payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
# payload-printable: yes # enable dumping payload in printable (lossy) format
# packet: yes # enable dumping of packet (without stream segments)
# http-body: yes # enable dumping of http body in Base64
# http-body-printable: yes # enable dumping of http body in printable format
metadata: # enable inclusion of app layer metadata with alert. Default yes
rule:
metadata: true
raw: true
# Enable the logging of tagged packets for rules using the
# "tag" keyword.
tagged-packets: yes
mounaBoo
commented
5 years ago I fixed the error it was tabulation mistake, but now I am getting
SC_ERR_CONF_YAML_ERROR(242)] - Failed to parse configuration file at line 158: did not find expected key
mounaBoo
commented
5 years ago I solved the probleme I needed to delete the hash sign and the extra space after it to mak it work thank you very much .
mounaBoo
commented
5 years ago solved by jasonish thank you sir.
Hello ,
I have recently installed evebox with elasticsearch and logstash, I want to know how to add rule and payload display on evebox dashboad like it's showing in demo : https://demo.evebox.org/#/event/01DAMA2YVTHMDSDS1TNSWB2XN0;referer=%2Finbox