How can I set "metadata: no" in eve logging?
-
Like the title said, how to set metadata:no in EVE logging. This (could) fix the truncating in the logs, or at least make the loglines smaller.
- eve-log: enabled: yes filetype: syslog filename: eve.json redis: server: 127.0.0.1 port: 6379 mode: list key: "suricata" identity: "suricata" facility: local1 level: notice xff: enabled: yes mode: overwrite deployment: reverse header: X-Forwarded-For types: - alert: payload: no # enable dumping payload in Base64 payload-buffer-size: 4kb # max size of payload buffer to output in eve-log payload-printable: no # enable dumping payload in printable (lossy) format packet: no # enable dumping of packet (without stream segments) http-body: yes # enable dumping of http body in Base64 http-body-printable: no # enable dumping of http body in printable format tagged-packets: yes # enable logging of tagged packets for rules using the 'tag' keyword metadata: no # << To disable metadata logging
Metadata logging is enabled by default.
-
You will need to edit one of the PHP source files. Any edit will be overwritten with the next package update, but you could always repeat the edit. If changing this option to "no" accomplishes your goal, and you think having it configurable would be useful, I can add the setting to the GUI in a future release.
For now, to implement this, edit the file
/usr/local/pkg/suricata/suricata_generate_yaml.php
as follows:Locate this section of code starting at line 398.
if (($suricatacfg['eve_log_alerts'] == 'on')) { $eve_out_types .= "\n - alert:"; $eve_out_types .= "\n payload: ".($suricatacfg['eve_log_alerts_payload'] == 'on' || $suricatacfg['eve_log_alerts_payload'] == 'only-base64' ?'yes':'no ')." # enable dumping payload in Base64"; $eve_out_types .= "\n payload-buffer-size: 4kb # max size of payload buffer to output in eve-log"; $eve_out_types .= "\n payload-printable: ".($suricatacfg['eve_log_alerts_payload'] == 'on' || $suricatacfg['eve_log_alerts_payload'] == 'only-printable' ?'yes':'no ')." # enable dumping payload in printable (lossy) format"; $eve_out_types .= "\n packet: ".($suricatacfg['eve_log_alerts_packet'] == 'on'?'yes':'no ')." # enable dumping of packet (without stream segments)"; $eve_out_types .= "\n http-body: ".($suricatacfg['eve_log_alerts_payload'] == 'on'?'yes':'no ' || $suricatacfg['eve_log_alerts_payload'] == 'only-base64' ?'yes':'no ')." # enable dumping of http body in Base64"; $eve_out_types .= "\n http-body-printable: ".($suricatacfg['eve_log_alerts_payload'] == 'on' || $suricatacfg['eve_log_alerts_payload'] == 'only-printable' ?'yes':'no ')." # enable dumping of http body in printable format"; $eve_out_types .= "\n tagged-packets: yes # enable logging of tagged packets for rules using the 'tag' keyword"; }
You will need to add this additional line of code to it:
$eve_out_types .= "\n metadata: no # turn off logging of metadata";
The new section will look like this:
if (($suricatacfg['eve_log_alerts'] == 'on')) { $eve_out_types .= "\n - alert:"; $eve_out_types .= "\n payload: ".($suricatacfg['eve_log_alerts_payload'] == 'on' || $suricatacfg['eve_log_alerts_payload'] == 'only-base64' ?'yes':'no ')." # enable dumping payload in Base64"; $eve_out_types .= "\n payload-buffer-size: 4kb # max size of payload buffer to output in eve-log"; $eve_out_types .= "\n payload-printable: ".($suricatacfg['eve_log_alerts_payload'] == 'on' || $suricatacfg['eve_log_alerts_payload'] == 'only-printable' ?'yes':'no ')." # enable dumping payload in printable (lossy) format"; $eve_out_types .= "\n packet: ".($suricatacfg['eve_log_alerts_packet'] == 'on'?'yes':'no ')." # enable dumping of packet (without stream segments)"; $eve_out_types .= "\n http-body: ".($suricatacfg['eve_log_alerts_payload'] == 'on'?'yes':'no ' || $suricatacfg['eve_log_alerts_payload'] == 'only-base64' ?'yes':'no ')." # enable dumping of http body in Base64"; $eve_out_types .= "\n http-body-printable: ".($suricatacfg['eve_log_alerts_payload'] == 'on' || $suricatacfg['eve_log_alerts_payload'] == 'only-printable' ?'yes':'no ')." # enable dumping of http body in printable format"; $eve_out_types .= "\n tagged-packets: yes # enable logging of tagged packets for rules using the 'tag' keyword"; $eve_out_types .= "\n metadata: no # turn off logging of metadata"; }
Save the change to the file, then go open up each interface to edit it and just click Save on the INTERFACE SETTINGS tab. Clicking Save will generate a new
suricata.yaml
file for the interface. Then return to the INTERFACES tab and restart Suricata on the interface so it will use the new configuration.Be careful when making the change. Suggest you copy-paste from this post. The syntax and spacing (indentation) is critical to proper functioning of the code.
-
@bmeeks said in How can I set "metadata: no" in eve logging?:
$eve_out_types .= "\n metadata: no # turn off logging of metadata";
Great! It works perfectly. I need it to log X-Forward-For ip-addresses to a remote syslog server so I can block those offenders too.
Before the eve JSON lines were too long and truncated by pfSense's syslog. That malformed the JSON. Looks like they "fit" now!If you can make it configurable, then yes, please!
-
I've added it to my TODO feature list for Suricata.