• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

How can I set "metadata: no" in eve logging?

Scheduled Pinned Locked Moved IDS/IPS
4 Posts 2 Posters 360 Views 2 Watching
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • D Offline
    digdug3
    last edited by digdug3 Aug 24, 2019, 12:10 PM Aug 24, 2019, 12:09 PM

    Like the title said, how to set metadata:no in EVE logging. This (could) fix the truncating in the logs, or at least make the loglines smaller.

    - eve-log:
         enabled: yes
         filetype: syslog
         filename: eve.json
         redis: 
           server: 127.0.0.1
           port: 6379
           mode: list
           key: "suricata"
         identity: "suricata"
         facility: local1
         level: notice
         xff:
           enabled: yes
           mode: overwrite
           deployment: reverse
           header: X-Forwarded-For
         types: 
           - alert:
               payload: no               # enable dumping payload in Base64
               payload-buffer-size: 4kb  # max size of payload buffer to output in eve-log
               payload-printable: no     # enable dumping payload in printable (lossy) format
               packet: no                # enable dumping of packet (without stream segments)
               http-body: yes            # enable dumping of http body in Base64
               http-body-printable: no   # enable dumping of http body in printable format
               tagged-packets: yes       # enable logging of tagged packets for rules using the 'tag' keyword
               metadata: no              # << To disable metadata logging
    

    Metadata logging is enabled by default.

    1 Reply Last reply Reply Quote 0
    • B Offline
      bmeeks
      last edited by bmeeks Aug 24, 2019, 7:45 PM Aug 24, 2019, 7:44 PM

      You will need to edit one of the PHP source files. Any edit will be overwritten with the next package update, but you could always repeat the edit. If changing this option to "no" accomplishes your goal, and you think having it configurable would be useful, I can add the setting to the GUI in a future release.

      For now, to implement this, edit the file /usr/local/pkg/suricata/suricata_generate_yaml.php as follows:

      Locate this section of code starting at line 398.

      if (($suricatacfg['eve_log_alerts'] == 'on')) {
      	$eve_out_types .= "\n        - alert:";
      	$eve_out_types .= "\n            payload: ".($suricatacfg['eve_log_alerts_payload'] == 'on' || $suricatacfg['eve_log_alerts_payload'] == 'only-base64' ?'yes':'no ')."              # enable dumping payload in Base64";
      	$eve_out_types .= "\n            payload-buffer-size: 4kb  # max size of payload buffer to output in eve-log";
      	$eve_out_types .= "\n            payload-printable: ".($suricatacfg['eve_log_alerts_payload'] == 'on' || $suricatacfg['eve_log_alerts_payload'] == 'only-printable' ?'yes':'no ')."    # enable dumping payload in printable (lossy) format";
      	$eve_out_types .= "\n            packet: ".($suricatacfg['eve_log_alerts_packet'] == 'on'?'yes':'no ')."               # enable dumping of packet (without stream segments)";
      	$eve_out_types .= "\n            http-body: ".($suricatacfg['eve_log_alerts_payload'] == 'on'?'yes':'no ' || $suricatacfg['eve_log_alerts_payload'] == 'only-base64' ?'yes':'no ')."            # enable dumping of http body in Base64";
      	$eve_out_types .= "\n            http-body-printable: ".($suricatacfg['eve_log_alerts_payload'] == 'on' || $suricatacfg['eve_log_alerts_payload'] == 'only-printable' ?'yes':'no ')."  # enable dumping of http body in printable format";
      	$eve_out_types .= "\n            tagged-packets: yes       # enable logging of tagged packets for rules using the 'tag' keyword";
      }
      

      You will need to add this additional line of code to it:

      $eve_out_types .= "\n            metadata: no              # turn off logging of metadata";
      

      The new section will look like this:

      if (($suricatacfg['eve_log_alerts'] == 'on')) {
      	$eve_out_types .= "\n        - alert:";
      	$eve_out_types .= "\n            payload: ".($suricatacfg['eve_log_alerts_payload'] == 'on' || $suricatacfg['eve_log_alerts_payload'] == 'only-base64' ?'yes':'no ')."              # enable dumping payload in Base64";
      	$eve_out_types .= "\n            payload-buffer-size: 4kb  # max size of payload buffer to output in eve-log";
      	$eve_out_types .= "\n            payload-printable: ".($suricatacfg['eve_log_alerts_payload'] == 'on' || $suricatacfg['eve_log_alerts_payload'] == 'only-printable' ?'yes':'no ')."    # enable dumping payload in printable (lossy) format";
      	$eve_out_types .= "\n            packet: ".($suricatacfg['eve_log_alerts_packet'] == 'on'?'yes':'no ')."               # enable dumping of packet (without stream segments)";
      	$eve_out_types .= "\n            http-body: ".($suricatacfg['eve_log_alerts_payload'] == 'on'?'yes':'no ' || $suricatacfg['eve_log_alerts_payload'] == 'only-base64' ?'yes':'no ')."            # enable dumping of http body in Base64";
      	$eve_out_types .= "\n            http-body-printable: ".($suricatacfg['eve_log_alerts_payload'] == 'on' || $suricatacfg['eve_log_alerts_payload'] == 'only-printable' ?'yes':'no ')."  # enable dumping of http body in printable format";
      	$eve_out_types .= "\n            tagged-packets: yes       # enable logging of tagged packets for rules using the 'tag' keyword";
      	$eve_out_types .= "\n            metadata: no              # turn off logging of metadata";
      }
      

      Save the change to the file, then go open up each interface to edit it and just click Save on the INTERFACE SETTINGS tab. Clicking Save will generate a new suricata.yaml file for the interface. Then return to the INTERFACES tab and restart Suricata on the interface so it will use the new configuration.

      Be careful when making the change. Suggest you copy-paste from this post. The syntax and spacing (indentation) is critical to proper functioning of the code.

      1 Reply Last reply Reply Quote 0
      • D Offline
        digdug3
        last edited by Aug 25, 2019, 6:43 AM

        @bmeeks said in How can I set "metadata: no" in eve logging?:

        $eve_out_types .= "\n metadata: no # turn off logging of metadata";

        Great! It works perfectly. I need it to log X-Forward-For ip-addresses to a remote syslog server so I can block those offenders too.
        Before the eve JSON lines were too long and truncated by pfSense's syslog. That malformed the JSON. Looks like they "fit" now!

        If you can make it configurable, then yes, please!

        1 Reply Last reply Reply Quote 0
        • B Offline
          bmeeks
          last edited by Aug 25, 2019, 9:16 PM

          I've added it to my TODO feature list for Suricata.

          1 Reply Last reply Reply Quote 0
          4 out of 4
          • First post
            4/4
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received