|
|
|
@ -359,66 +359,71 @@ For more advanced configuration options, see :ref:`Eve JSON Output <eve-json-out
|
|
|
|
|
|
|
|
|
|
The format is documented in :ref:`Eve JSON Format <eve-json-format>`.
|
|
|
|
|
|
|
|
|
|
Log output for use with Barnyard (unified.log)
|
|
|
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
|
|
This log only supports IPv4. Its information will be stored in the
|
|
|
|
|
default logging directory. This log is designed to be stored in a
|
|
|
|
|
binary format on the hard disc, where it will be further processed by
|
|
|
|
|
Barnyard. Barnyard can store the output in a database, so Suricata can
|
|
|
|
|
work on other important tasks. Barnyard can add the files in the
|
|
|
|
|
Mysql-database, send them to Sguil or several other output options.
|
|
|
|
|
|
|
|
|
|
There is a size-limit to the log-file: If Suricata generates an alert,
|
|
|
|
|
it stores this alert in a unified-file. Suricata keeps continuing
|
|
|
|
|
doing that, until the file has reached its limit. Which in the default
|
|
|
|
|
case is at 32 MB. At that point Suricata generates a new file and the
|
|
|
|
|
process starts all over again. Barnyard keeps on processing these
|
|
|
|
|
files. To prevent Suricata from filling up the hard disc, a size limit
|
|
|
|
|
is enforced. When the limit is reached, the file will 'role-over',
|
|
|
|
|
creating a new file. Barnyard removes old files. To every file,
|
|
|
|
|
Suricata adds a time stamp, so it is easy to see which one came first
|
|
|
|
|
and which one is the latter.
|
|
|
|
|
|
|
|
|
|
::
|
|
|
|
|
Alert output for use with Barnyard2 (unified2.alert)
|
|
|
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
|
|
-Unified-log: #The log-name.
|
|
|
|
|
enabled: no #This log is not enabled. Set 'yes' to enable.
|
|
|
|
|
filename: unified.log #The name of the file in the default logging directory.
|
|
|
|
|
limit: 32 #The file size limit in megabytes.
|
|
|
|
|
This log format is a binary format compatible with the unified2 output
|
|
|
|
|
of another popular IDS format and is designed for use with Barnyard2
|
|
|
|
|
or other tools that consume the unified2 log format.
|
|
|
|
|
|
|
|
|
|
This output option has been removed in Suricata 1.1rc1 (see ticket
|
|
|
|
|
#353).
|
|
|
|
|
By default a file with the given filename and a timestamp (unix epoch
|
|
|
|
|
format) will be created until the file hits the configured size limit,
|
|
|
|
|
then a new file, with a new timestamp will be created. It is the job
|
|
|
|
|
of other tools, such as Barnyard2 to cleanup old unified2 files.
|
|
|
|
|
|
|
|
|
|
Alert output for use with Barnyard (unified.alert)
|
|
|
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
|
If the `nostamp` option is set the log file will not have a timestamp
|
|
|
|
|
appended. The file will be re-opened on SIGHUP like other log files
|
|
|
|
|
allowing external log rotation tools to work as expected. However, if
|
|
|
|
|
the limit is reach the file will be deleted and re-opened.
|
|
|
|
|
|
|
|
|
|
This log only supports IPv4. Its information will be stored in the
|
|
|
|
|
default logging directory. For further information read the above
|
|
|
|
|
information about ( 2) unified.log)
|
|
|
|
|
This output supports IPv6 and IPv4 events.
|
|
|
|
|
|
|
|
|
|
::
|
|
|
|
|
|
|
|
|
|
-Unified-alert: #The log-name.
|
|
|
|
|
enabled: no #This log is not enabled. Set 'yes' to enable.
|
|
|
|
|
filename: unified.alert #The name of the file in the default logging directory.
|
|
|
|
|
limit: 32 #The file size limit in megabytes.
|
|
|
|
|
|
|
|
|
|
This output option has been removed in Suricata 1.1rc1 (see ticket #353).
|
|
|
|
|
|
|
|
|
|
Alert output for use with Barnyard2 (unified2.alert)
|
|
|
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
|
|
This log also supports IPv6 in addition to IPv4. It's information will
|
|
|
|
|
be stored in the default logging directory. For further information
|
|
|
|
|
read the above information about 2. unified.log.
|
|
|
|
|
|
|
|
|
|
::
|
|
|
|
|
- unified2-alert:
|
|
|
|
|
enabled: yes
|
|
|
|
|
|
|
|
|
|
- unified2-alert: #The log-name.
|
|
|
|
|
enabled: yes #This log is enabled. Set 'no' to disable.
|
|
|
|
|
filename: unified2.alert #The name of the file in the default logging directory.
|
|
|
|
|
limit: 32 #The file size limit in megabytes.
|
|
|
|
|
# The filename to log to in the default log directory. A
|
|
|
|
|
# timestamp in unix epoch time will be appended to the filename
|
|
|
|
|
# unless nostamp is set to yes.
|
|
|
|
|
filename: unified2.alert
|
|
|
|
|
|
|
|
|
|
# File size limit. Can be specified in kb, mb, gb. Just a number
|
|
|
|
|
# is parsed as bytes.
|
|
|
|
|
#limit: 32mb
|
|
|
|
|
|
|
|
|
|
# By default unified2 log files have the file creation time (in
|
|
|
|
|
# unix epoch format) appended to the filename. Set this to yes to
|
|
|
|
|
# disable this behaviour.
|
|
|
|
|
#nostamp: no
|
|
|
|
|
|
|
|
|
|
# Sensor ID field of unified2 alerts.
|
|
|
|
|
#sensor-id: 0
|
|
|
|
|
|
|
|
|
|
# Include payload of packets related to alerts. Defaults to true, set to
|
|
|
|
|
# false if payload is not required.
|
|
|
|
|
#payload: yes
|
|
|
|
|
|
|
|
|
|
# HTTP X-Forwarded-For support by adding the unified2 extra header or
|
|
|
|
|
# overwriting the source or destination IP address (depending on flow
|
|
|
|
|
# direction) with the one reported in the X-Forwarded-For HTTP header.
|
|
|
|
|
# This is helpful when reviewing alerts for traffic that is being reverse
|
|
|
|
|
# or forward proxied.
|
|
|
|
|
xff:
|
|
|
|
|
enabled: no
|
|
|
|
|
# Two operation modes are available, "extra-data" and "overwrite". Note
|
|
|
|
|
# that in the "overwrite" mode, if the reported IP address in the HTTP
|
|
|
|
|
# X-Forwarded-For header is of a different version of the packet
|
|
|
|
|
# received, it will fall-back to "extra-data" mode.
|
|
|
|
|
mode: extra-data
|
|
|
|
|
# Two proxy deployments are supported, "reverse" and "forward". In
|
|
|
|
|
# a "reverse" deployment the IP address used is the last one, in a
|
|
|
|
|
# "forward" deployment the first IP address is used.
|
|
|
|
|
deployment: reverse
|
|
|
|
|
# Header name where the actual IP address will be reported, if more
|
|
|
|
|
# than one IP address is present, the last IP address will be the
|
|
|
|
|
# one taken into consideration.
|
|
|
|
|
header: X-Forwarded-For
|
|
|
|
|
|
|
|
|
|
This alert output needs Barnyard2.
|
|
|
|
|
|
|
|
|
|