How can I set "metadata: no" in eve logging?



  • Like the title said, how to set metadata:no in EVE logging. This (could) fix the truncating in the logs, or at least make the loglines smaller.

    - eve-log:
         enabled: yes
         filetype: syslog
         filename: eve.json
         redis: 
           server: 127.0.0.1
           port: 6379
           mode: list
           key: "suricata"
         identity: "suricata"
         facility: local1
         level: notice
         xff:
           enabled: yes
           mode: overwrite
           deployment: reverse
           header: X-Forwarded-For
         types: 
           - alert:
               payload: no               # enable dumping payload in Base64
               payload-buffer-size: 4kb  # max size of payload buffer to output in eve-log
               payload-printable: no     # enable dumping payload in printable (lossy) format
               packet: no                # enable dumping of packet (without stream segments)
               http-body: yes            # enable dumping of http body in Base64
               http-body-printable: no   # enable dumping of http body in printable format
               tagged-packets: yes       # enable logging of tagged packets for rules using the 'tag' keyword
               metadata: no              # << To disable metadata logging
    

    Metadata logging is enabled by default.



  • You will need to edit one of the PHP source files. Any edit will be overwritten with the next package update, but you could always repeat the edit. If changing this option to "no" accomplishes your goal, and you think having it configurable would be useful, I can add the setting to the GUI in a future release.

    For now, to implement this, edit the file /usr/local/pkg/suricata/suricata_generate_yaml.php as follows:

    Locate this section of code starting at line 398.

    if (($suricatacfg['eve_log_alerts'] == 'on')) {
    	$eve_out_types .= "\n        - alert:";
    	$eve_out_types .= "\n            payload: ".($suricatacfg['eve_log_alerts_payload'] == 'on' || $suricatacfg['eve_log_alerts_payload'] == 'only-base64' ?'yes':'no ')."              # enable dumping payload in Base64";
    	$eve_out_types .= "\n            payload-buffer-size: 4kb  # max size of payload buffer to output in eve-log";
    	$eve_out_types .= "\n            payload-printable: ".($suricatacfg['eve_log_alerts_payload'] == 'on' || $suricatacfg['eve_log_alerts_payload'] == 'only-printable' ?'yes':'no ')."    # enable dumping payload in printable (lossy) format";
    	$eve_out_types .= "\n            packet: ".($suricatacfg['eve_log_alerts_packet'] == 'on'?'yes':'no ')."               # enable dumping of packet (without stream segments)";
    	$eve_out_types .= "\n            http-body: ".($suricatacfg['eve_log_alerts_payload'] == 'on'?'yes':'no ' || $suricatacfg['eve_log_alerts_payload'] == 'only-base64' ?'yes':'no ')."            # enable dumping of http body in Base64";
    	$eve_out_types .= "\n            http-body-printable: ".($suricatacfg['eve_log_alerts_payload'] == 'on' || $suricatacfg['eve_log_alerts_payload'] == 'only-printable' ?'yes':'no ')."  # enable dumping of http body in printable format";
    	$eve_out_types .= "\n            tagged-packets: yes       # enable logging of tagged packets for rules using the 'tag' keyword";
    }
    

    You will need to add this additional line of code to it:

    $eve_out_types .= "\n            metadata: no              # turn off logging of metadata";
    

    The new section will look like this:

    if (($suricatacfg['eve_log_alerts'] == 'on')) {
    	$eve_out_types .= "\n        - alert:";
    	$eve_out_types .= "\n            payload: ".($suricatacfg['eve_log_alerts_payload'] == 'on' || $suricatacfg['eve_log_alerts_payload'] == 'only-base64' ?'yes':'no ')."              # enable dumping payload in Base64";
    	$eve_out_types .= "\n            payload-buffer-size: 4kb  # max size of payload buffer to output in eve-log";
    	$eve_out_types .= "\n            payload-printable: ".($suricatacfg['eve_log_alerts_payload'] == 'on' || $suricatacfg['eve_log_alerts_payload'] == 'only-printable' ?'yes':'no ')."    # enable dumping payload in printable (lossy) format";
    	$eve_out_types .= "\n            packet: ".($suricatacfg['eve_log_alerts_packet'] == 'on'?'yes':'no ')."               # enable dumping of packet (without stream segments)";
    	$eve_out_types .= "\n            http-body: ".($suricatacfg['eve_log_alerts_payload'] == 'on'?'yes':'no ' || $suricatacfg['eve_log_alerts_payload'] == 'only-base64' ?'yes':'no ')."            # enable dumping of http body in Base64";
    	$eve_out_types .= "\n            http-body-printable: ".($suricatacfg['eve_log_alerts_payload'] == 'on' || $suricatacfg['eve_log_alerts_payload'] == 'only-printable' ?'yes':'no ')."  # enable dumping of http body in printable format";
    	$eve_out_types .= "\n            tagged-packets: yes       # enable logging of tagged packets for rules using the 'tag' keyword";
    	$eve_out_types .= "\n            metadata: no              # turn off logging of metadata";
    }
    

    Save the change to the file, then go open up each interface to edit it and just click Save on the INTERFACE SETTINGS tab. Clicking Save will generate a new suricata.yaml file for the interface. Then return to the INTERFACES tab and restart Suricata on the interface so it will use the new configuration.

    Be careful when making the change. Suggest you copy-paste from this post. The syntax and spacing (indentation) is critical to proper functioning of the code.



  • @bmeeks said in How can I set "metadata: no" in eve logging?:

    $eve_out_types .= "\n metadata: no # turn off logging of metadata";

    Great! It works perfectly. I need it to log X-Forward-For ip-addresses to a remote syslog server so I can block those offenders too.
    Before the eve JSON lines were too long and truncated by pfSense's syslog. That malformed the JSON. Looks like they "fit" now!

    If you can make it configurable, then yes, please!



  • I've added it to my TODO feature list for Suricata.


Log in to reply