doc: update eve/alert/metadata configuration

pull/3205/head
Jason Ish 8 years ago
parent 45a38c0431
commit 74e036d09f

@ -47,47 +47,35 @@ Output types::
Alerts
~~~~~~
Alerts are event records for rule matches. They can be ammended with metadata,
such as the HTTP record an alert was generated for.
Alerts are event records for rule matches. They can be ammended with
metadata, such as the application layer record (HTTP, DNS, etc) an
alert was generated for, and elements of the rule.
Metadata::
- alert:
# payload: yes # enable dumping payload in Base64
# payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
# payload-printable: yes # enable dumping payload in printable (lossy) format
# packet: yes # enable dumping of packet (without stream segments)
# http-body: yes # enable dumping of http body in Base64
# http-body-printable: yes # enable dumping of http body in printable format
# rule: yes # enable dumping of signature definition
metadata: yes # add L7/applayer fields, flowbit and other vars to the alert
Alternatively to the `metadata` key it is also possible to select the application
layer metadata to output on a per application layer basis ::
#payload: yes # enable dumping payload in Base64
#payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
#payload-printable: yes # enable dumping payload in printable (lossy) format
#packet: yes # enable dumping of packet (without stream segments)
#http-body: yes # enable dumping of http body in Base64
#http-body-printable: yes # enable dumping of http body in printable format
- alert:
http: yes # enable dumping of http fields
tls: yes # enable dumping of tls fields
ssh: yes # enable dumping of ssh fields
smtp: yes # enable dumping of smtp fields
dnp3: yes # enable dumping of dnp3 fields
flow: yes # enable dumping of a partial flow entry
vars: yes # enable dumping of flowbits and other vars
# metadata:
The `vars` will enable dumping of a set of key/value based on flowbits and other vars
such as named groups in regular expression.
# Include the decoded application layer (ie. http, dns)
#app-layer: true
It is also possible to log key/value pairs defined by the metadata keyword on rule. To
do so you need to set `enabled` to yes under `rule-metadata` ::
# Log the the current state of the flow record.
#flow: true
- alert:
metadata: yes # add L7/applayer fields, flowbit and other vars to the alert
rule-metadata: # dumping of key/value pairs defined by metadata keyword of rule
enabled: yes # set to yes to enable
output-array: no # output value of key as an array
array-keys: [tag] # comma separated array of keys to output as array
#rule:
# Log the metadata field from the rule in a structured
# format.
#metadata: true
This will add a `alert.metadata` object in the alert event.
# Log the raw rule text.
#raw: false
DNS
~~~

@ -38,28 +38,30 @@ outputs:
# http-body: yes # enable dumping of http body in Base64
# http-body-printable: yes # enable dumping of http body in printable format
# rule: yes # enable dumping of signature definition
# Enable the logging of tagged packets for rules using the
# "tag" keyword.
tagged-packets: yes
# Include extra data in alert records like the app-layer
# information and flow records. Default: yes.
#metadata: yes
# Configure the metadata to be logged along with an
# alert. The following shows the default configuration
# which is used if this field is not provided or simply
# set to a truthful value. Setting of this section is only
# required if you wish to enable/disable specific fields.
#metadata:
# If metadata is false this will enable logging of the
# associated app-layer with the alert record.
#app-layer: yes
# Include the decoded application layer (ie. http, dns)
app-layer: true
# If metadata is false this will enable logging of the flow
# record with the alert record.
#flow: yes
# Log the the current state of the flow record.
flow: true
# Enable the logging of tagged packets for rules using the
# "tag" keyword.
tagged-packets: yes
rule:
# Log the metadata field from the rule in a structured
# format.
metadata: true
rule-metadata: # dumping of key/value pairs defined by metadata keyword of rule
enabled: no # set to yes to enable
output-array: no # output value of key as an array
array-keys: [tag] # comma separated array of keys to output as array
# Log the raw rule text.
raw: false
# HTTP X-Forwarded-For support by adding an extra field or overwriting
# the source or destination IP address (depending on flow direction)

Loading…
Cancel
Save