How can I set "metadata: no" in eve logging?

digdug3 · Aug 24, 2019, 12:10 PM

Like the title said, how to set metadata:no in EVE logging. This (could) fix the truncating in the logs, or at least make the loglines smaller.

- eve-log:
     enabled: yes
     filetype: syslog
     filename: eve.json
     redis: 
       server: 127.0.0.1
       port: 6379
       mode: list
       key: "suricata"
     identity: "suricata"
     facility: local1
     level: notice
     xff:
       enabled: yes
       mode: overwrite
       deployment: reverse
       header: X-Forwarded-For
     types: 
       - alert:
           payload: no               # enable dumping payload in Base64
           payload-buffer-size: 4kb  # max size of payload buffer to output in eve-log
           payload-printable: no     # enable dumping payload in printable (lossy) format
           packet: no                # enable dumping of packet (without stream segments)
           http-body: yes            # enable dumping of http body in Base64
           http-body-printable: no   # enable dumping of http body in printable format
           tagged-packets: yes       # enable logging of tagged packets for rules using the 'tag' keyword
           metadata: no              # << To disable metadata logging

Metadata logging is enabled by default.

bmeeks · Aug 24, 2019, 7:45 PM

You will need to edit one of the PHP source files. Any edit will be overwritten with the next package update, but you could always repeat the edit. If changing this option to "no" accomplishes your goal, and you think having it configurable would be useful, I can add the setting to the GUI in a future release.

For now, to implement this, edit the file /usr/local/pkg/suricata/suricata_generate_yaml.php as follows:

Locate this section of code starting at line 398.

if (($suricatacfg['eve_log_alerts'] == 'on')) {
	$eve_out_types .= "\n        - alert:";
	$eve_out_types .= "\n            payload: ".($suricatacfg['eve_log_alerts_payload'] == 'on' || $suricatacfg['eve_log_alerts_payload'] == 'only-base64' ?'yes':'no ')."              # enable dumping payload in Base64";
	$eve_out_types .= "\n            payload-buffer-size: 4kb  # max size of payload buffer to output in eve-log";
	$eve_out_types .= "\n            payload-printable: ".($suricatacfg['eve_log_alerts_payload'] == 'on' || $suricatacfg['eve_log_alerts_payload'] == 'only-printable' ?'yes':'no ')."    # enable dumping payload in printable (lossy) format";
	$eve_out_types .= "\n            packet: ".($suricatacfg['eve_log_alerts_packet'] == 'on'?'yes':'no ')."               # enable dumping of packet (without stream segments)";
	$eve_out_types .= "\n            http-body: ".($suricatacfg['eve_log_alerts_payload'] == 'on'?'yes':'no ' || $suricatacfg['eve_log_alerts_payload'] == 'only-base64' ?'yes':'no ')."            # enable dumping of http body in Base64";
	$eve_out_types .= "\n            http-body-printable: ".($suricatacfg['eve_log_alerts_payload'] == 'on' || $suricatacfg['eve_log_alerts_payload'] == 'only-printable' ?'yes':'no ')."  # enable dumping of http body in printable format";
	$eve_out_types .= "\n            tagged-packets: yes       # enable logging of tagged packets for rules using the 'tag' keyword";
}

You will need to add this additional line of code to it:

$eve_out_types .= "\n            metadata: no              # turn off logging of metadata";

The new section will look like this:

if (($suricatacfg['eve_log_alerts'] == 'on')) {
	$eve_out_types .= "\n        - alert:";
	$eve_out_types .= "\n            payload: ".($suricatacfg['eve_log_alerts_payload'] == 'on' || $suricatacfg['eve_log_alerts_payload'] == 'only-base64' ?'yes':'no ')."              # enable dumping payload in Base64";
	$eve_out_types .= "\n            payload-buffer-size: 4kb  # max size of payload buffer to output in eve-log";
	$eve_out_types .= "\n            payload-printable: ".($suricatacfg['eve_log_alerts_payload'] == 'on' || $suricatacfg['eve_log_alerts_payload'] == 'only-printable' ?'yes':'no ')."    # enable dumping payload in printable (lossy) format";
	$eve_out_types .= "\n            packet: ".($suricatacfg['eve_log_alerts_packet'] == 'on'?'yes':'no ')."               # enable dumping of packet (without stream segments)";
	$eve_out_types .= "\n            http-body: ".($suricatacfg['eve_log_alerts_payload'] == 'on'?'yes':'no ' || $suricatacfg['eve_log_alerts_payload'] == 'only-base64' ?'yes':'no ')."            # enable dumping of http body in Base64";
	$eve_out_types .= "\n            http-body-printable: ".($suricatacfg['eve_log_alerts_payload'] == 'on' || $suricatacfg['eve_log_alerts_payload'] == 'only-printable' ?'yes':'no ')."  # enable dumping of http body in printable format";
	$eve_out_types .= "\n            tagged-packets: yes       # enable logging of tagged packets for rules using the 'tag' keyword";
	$eve_out_types .= "\n            metadata: no              # turn off logging of metadata";
}

Save the change to the file, then go open up each interface to edit it and just click Save on the INTERFACE SETTINGS tab. Clicking Save will generate a new suricata.yaml file for the interface. Then return to the INTERFACES tab and restart Suricata on the interface so it will use the new configuration.

Be careful when making the change. Suggest you copy-paste from this post. The syntax and spacing (indentation) is critical to proper functioning of the code.

digdug3 · Aug 25, 2019, 6:43 AM

@bmeeks said in How can I set "metadata: no" in eve logging?:

$eve_out_types .= "\n metadata: no # turn off logging of metadata";

Great! It works perfectly. I need it to log X-Forward-For ip-addresses to a remote syslog server so I can block those offenders too.
Before the eve JSON lines were too long and truncated by pfSense's syslog. That malformed the JSON. Looks like they "fit" now!

If you can make it configurable, then yes, please!

bmeeks · Aug 25, 2019, 9:16 PM

I've added it to my TODO feature list for Suricata.