.. _eve-json-output:
19.1.1. EVE JSON 输出¶
EVE 输出功能通过 JSON 格式输出告警、异常、元数据、文件信息及协议特定记录。
最常用的方式是通过 'EVE' 实现,这是一种将所有日志汇集到单一文件的"消防栓"式方法。
outputs:
# Extensible Event Format (nicknamed EVE) event log in JSON format
- eve-log:
enabled: yes
filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
filename: eve.json
# Enable for multi-threaded eve.json output; output files are amended with
# an identifier, e.g., eve.9.json
#threaded: false
# Specify the amount of buffering, in bytes, for
# this output type. The default value 0 means "no
# buffering".
#buffer-size: 0
#prefix: "@cee: " # prefix to prepend to each log entry
# the following are valid when type: syslog above
#identity: "suricata"
#facility: local5
#level: Info ## possible levels: Emergency, Alert, Critical,
## Error, Warning, Notice, Info, Debug
#ethernet: no # log ethernet header in events when available
#redis:
# server: 127.0.0.1
# port: 6379
# async: true ## if redis replies are read asynchronously
# mode: list ## possible values: list|lpush (default), rpush, channel|publish, xadd|stream
# ## lpush and rpush are using a Redis list. "list" is an alias for lpush
# ## publish is using a Redis channel. "channel" is an alias for publish
# ## xadd is using a Redis stream. "stream" is an alias for xadd
# key: suricata ## string denoting the key/channel/stream to use (default to suricata)
# stream-maxlen: 100000 ## Automatically trims the stream length to at most
## this number of events. Set to 0 to disable trimming.
## Only used when mode is set to xadd/stream.
# stream-trim-exact: false ## Trim exactly to the maximum stream length above.
## Default: use inexact trimming (inexact by a few
## tens of items)
## Only used when mode is set to xadd/stream.
# Redis pipelining set up. This will enable to only do a query every
# 'batch-size' events. This should lower the latency induced by network
# connection at the cost of some memory. There is no flushing implemented
# so this setting should be reserved to high traffic Suricata deployments.
# pipelining:
# enabled: yes ## set enable to yes to enable query pipelining
# batch-size: 10 ## number of entries to keep in buffer
# Include top level metadata. Default yes.
#metadata: no
# include the name of the input pcap file in pcap file processing mode
pcap-file: false
# Community Flow ID
# Adds a 'community-id' field to EVE records. These are meant to give
# records a predictable flow ID that can be used to match records to
# output of other tools such as Zeek (Bro).
#
# Takes a 'seed' that needs to be same across sensors and tools
# to make the id less predictable.
# enable/disable the community id feature.
community-id: false
# Seed value for the ID output. Valid values are 0-65535.
community-id-seed: 0
# HTTP X-Forwarded-For support by adding an extra field or overwriting
# the source or destination IP address (depending on flow direction)
# with the one reported in the X-Forwarded-For HTTP header. This is
# helpful when reviewing alerts for traffic that is being reverse
# or forward proxied.
xff:
enabled: no
# Two operation modes are available: "extra-data" and "overwrite".
mode: extra-data
# Two proxy deployments are supported: "reverse" and "forward". In
# a "reverse" deployment the IP address used is the last one, in a
# "forward" deployment the first IP address is used.
deployment: reverse
# Header name where the actual IP address will be reported. If more
# than one IP address is present, the last IP address will be the
# one taken into consideration.
header: X-Forwarded-For
types:
- alert:
# payload: yes # enable dumping payload in Base64
# payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
# payload-printable: yes # enable dumping payload in printable (lossy) format
# payload-length: yes # enable dumping payload length, including the gaps
# packet: yes # enable dumping of packet (without stream segments)
# metadata: no # enable inclusion of app layer metadata with alert. Default yes
# If you want metadata, use:
# metadata:
# Include the decoded application layer (ie. http, dns)
#app-layer: true
# Log the current state of the flow record.
#flow: true
#rule:
# Log the metadata field from the rule in a structured
# format.
#metadata: true
# Log the raw rule text.
#raw: false
#reference: false # include reference information from the rule
# http-body: yes # Requires metadata; enable dumping of HTTP body in Base64
# http-body-printable: yes # Requires metadata; enable dumping of HTTP body in printable format
# websocket-payload: yes # Requires metadata; enable dumping of WebSocket Payload in Base64
# websocket-payload-printable: yes # Requires metadata; enable dumping of WebSocket Payload in printable format
# Enable the logging of tagged packets for rules using the
# "tag" keyword.
tagged-packets: yes
# Enable logging the final action taken on a packet by the engine
# (e.g: the alert may have action 'allowed' but the verdict be
# 'drop' due to another alert. That's the engine's verdict)
# verdict: yes
# app layer frames
- frame:
# disabled by default as this is very verbose.
enabled: no
# payload-buffer-size: 4kb # max size of frame payload buffer to output in eve-log
- anomaly:
# Anomaly log records describe unexpected conditions such
# as truncated packets, packets with invalid IP/UDP/TCP
# length values, and other events that render the packet
# invalid for further processing or describe unexpected
# behavior on an established stream. Networks which
# experience high occurrences of anomalies may experience
# packet processing degradation.
#
# Anomalies are reported for the following:
# 1. Decode: Values and conditions that are detected while
# decoding individual packets. This includes invalid or
# unexpected values for low-level protocol lengths as well
# as stream related events (TCP 3-way handshake issues,
# unexpected sequence number, etc).
# 2. Stream: This includes stream related events (TCP
# 3-way handshake issues, unexpected sequence number,
# etc).
# 3. Application layer: These denote application layer
# specific conditions that are unexpected, invalid or are
# unexpected given the application monitoring state.
#
# By default, anomaly logging is enabled. When anomaly
# logging is enabled, applayer anomaly reporting is
# also enabled.
enabled: yes
#
# Choose one or more types of anomaly logging and whether to enable
# logging of the packet header for packet anomalies.
types:
# decode: no
# stream: no
# applayer: yes
#packethdr: no
- http:
extended: yes # enable this for extended logging information
# custom allows additional HTTP fields to be included in eve-log.
# the example below adds three additional fields when uncommented
#custom: [Accept-Encoding, Accept-Language, Authorization]
# set this value to one and only one from {both, request, response}
# to dump all HTTP headers for every HTTP request and/or response
# dump-all-headers: none
- dns:
# This configuration uses the new DNS logging format,
# the old configuration is still available:
# https://docs.suricata.io/en/latest/output/eve/eve-json-output.html#dns-v1-format
# As of Suricata 5.0, version 2 of the eve dns output
# format is the default.
#version: 2
# Enable/disable this logger. Default: enabled.
#enabled: yes
# Control logging of requests and responses:
# - requests: enable logging of DNS queries
# - responses: enable logging of DNS answers
# By default both requests and responses are logged.
#requests: no
#responses: no
# Format of answer logging:
# - detailed: array item per answer
# - grouped: answers aggregated by type
# Default: all
#formats: [detailed, grouped]
# DNS record types to log, based on the query type.
# Default: all.
#types: [a, aaaa, cname, mx, ns, ptr, txt]
- tls:
extended: yes # enable this for extended logging information
# output TLS transaction where the session is resumed using a
# session id
#session-resumption: no
# custom controls which TLS fields that are included in eve-log
# WARNING: enabling custom disables extended logging.
#custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s, ja4, subjectaltname, client, client_certificate, client_chain, client_alpns, server_alpns]
- files:
force-magic: no # force logging magic on all logged files
# force logging of checksums, available hash functions are md5,
# sha1 and sha256
#force-hash: [md5]
#- drop:
# alerts: yes # log alerts that caused drops
# flows: all # start or all: 'start' logs only a single drop
# # per flow direction. All logs each dropped pkt.
# Enable logging the final action taken on a packet by the engine
# (will show more information in case of a drop caused by 'reject')
# verdict: yes
- smtp:
#extended: yes # enable this for extended logging information
# this includes: bcc, message-id, subject, x_mailer, user-agent
# custom fields logging from the list:
# reply-to, bcc, message-id, subject, x-mailer, user-agent, received,
# x-originating-ip, in-reply-to, references, importance, priority,
# sensitivity, organization, content-md5, date
#custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc]
# output md5 of fields: body, subject
# for the body you need to set app-layer.protocols.smtp.mime.body-md5
# to yes
#md5: [body, subject]
#- dnp3
- websocket
- ftp
- ftp-data
- rdp
- nfs
- smb
- tftp
- ike
- dcerpc
- krb5
- bittorrent-dht
- ssh
- arp:
enabled: no
- snmp
- rfb
- sip
- quic
- dhcp:
enabled: yes
# When extended mode is on, all DHCP messages are logged
# with full detail. When extended mode is off (the
# default), just enough information to map a MAC address
# to an IP address is logged.
extended: no
- mqtt:
# passwords: yes # enable output of passwords
# string-log-limit: 1kb # limit size of logged strings in bytes.
# Can be specified in kb, mb, gb. Just a number
# is parsed as bytes. Default is 1KB.
# Use a value of 0 to disable limiting.
# Note that the size is also bounded by
# the maximum parsed message size (see
# app-layer configuration)
- http2
- pgsql:
enabled: no
# passwords: yes # enable output of passwords. Disabled by default
- stats:
totals: yes # stats for all threads merged together
threads: no # per thread stats
deltas: no # include delta values
# Don't log stats counters that are zero. Default: true
#null-values: false # False will NOT log stats counters: 0
# bi-directional flows
- flow
# uni-directional flows
#- netflow
# Metadata event type. Triggered whenever a pktvar is saved
# and will include the pktvars, flowvars, flowbits and
# flowints.
#- metadata
# EXPERIMENTAL per packet output giving TCP state tracking details
# including internal state, flags, etc.
# This output is experimental, meant for debugging and subject to
# change in both config and output without any notice.
#- stream:
# all: false # log all TCP packets
# event-set: false # log packets that have a decoder/stream event
# state-update: false # log packets triggering a TCP state update
# spurious-retransmission: false # log spurious retransmission packets
#
heartbeat:
# The output-flush-interval value governs how often Suricata will instruct the
# detection threads to flush their EVE output. Specify the value in seconds [1-60]
# and Suricata will initiate EVE log output flushes at that interval. A value
# of 0 means no EVE log output flushes are initiated. When the EVE output
# buffer-size value is non-zero, some EVE output that was written may remain
# buffered. The output-flush-interval governs how much buffered data exists.
#
# The default value is: 0 (never instruct detection threads to flush output)
#output-flush-interval: 0
每条告警、HTTP日志等都将写入此单一文件:'eve.json'。该文件可被Logstash (ELK) 或 jq 等第三方工具处理。
若 ethernet 设为 yes,则事件中将添加可用的以太网头部信息。若 pkt_src 值为 stream (flow timeout),则 ethernet 值将填充为流首包携带的以太网头部MAC地址。
若 suricata-version 设为 yes,则事件中将添加Suricata版本信息(含Git修订号,如可用)作为 suricata_version。
19.1.1.1. 输出缓冲¶
输出刷新由配置段 heartbeat 中的值控制。默认情况下,Suricata的输出是同步的,几乎不存在数据未持久化的可能。然而,若 output.buffer-size 设定了非零值,则部分输出数据可能被写入但未实际刷新。最多 buffer-size 字节的数据会暂存内存,稍后写入,这为输出数据丢失提供了有限的可能性。
因此,引入了心跳机制来限制缓冲数据在被刷新前的存活时间。通过配置可指示Suricata检测线程以心跳方式刷新EVE输出。默认值下,输出缓冲和刷新行为不变。output-flush-interval 控制检测线程刷新输出的频率。值为 0 表示"从不";非零值须在 [1-60] 秒之间。
当 outputs.buffer-size 大于0时,应考虑启用刷新以限制未持久化输出数据的量和时效。若 buffer-size 为 0 则无需刷新。
heartbeat:
#output-flush-interval: 0
19.1.1.2. 输出类型¶
EVE支持多种输出方式。regular 为常规文件。其他选项包括 syslog、unix_dgram、unix_stream 和 redis。
输出类型示例:
filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
filename: eve.json
# 启用多线程eve.json输出;输出文件名会附加标识符,如eve.9.json。默认:关闭
#threaded: off
# 指定此输出类型的缓冲大小(字节)。
# 默认值0表示"无缓冲"。
#buffer-size: 0
#prefix: "@cee: " # 每条日志条目前缀
# 以下选项在type: syslog时有效
#identity: "suricata"
#facility: local5
#level: Info ## 可选级别: Emergency, Alert, Critical,
## Error, Warning, Notice, Info, Debug
#ethernet: no # 事件中记录可用的以太网头部
#suricata-version: no # 包含suricata版本。默认不包含。
#redis:
# server: 127.0.0.1
# port: 6379
# async: true ## 是否异步读取redis回复
# mode: list ## 可选值: list|lpush (默认), rpush, channel|publish, xadd|stream
# ## lpush和rpush使用Redis列表。"list"是lpush的别名
# ## publish使用Redis频道。"channel"是publish的别名
# ## xadd使用Redis流。"stream"是xadd的别名
# key: suricata ## 使用的键/频道/流名称(默认为suricata)
# stream-maxlen: 100000 ## 自动将流长度修剪至最多此数量事件。
## 设为0禁用修剪。仅mode为xadd/stream时有效。
# stream-trim-exact: false ## 精确修剪至上述最大流长度。
## 默认:非精确修剪(允许少量偏差)
## 仅mode为xadd/stream时有效。
# Redis流水线设置。这将使每'batch-size'个事件才执行一次查询。
# 可降低网络延迟代价,但需消耗更多内存。无自动刷新机制,
# 故仅建议高流量场景使用。
# pipelining:
# enabled: yes ## 设为yes启用查询流水线
# batch-size: 10 ## 缓冲区内保留的条目数
19.1.1.3. 告警¶
告警是规则匹配产生的事件记录。可附加元数据,如触发告警的应用层记录(HTTP、DNS等)及规则元素。
使用应用层关键字的签名告警会附加应用层元数据。UDP协议亦如此,因每个单包预期包含PDU。
对于其他签名,可使用 guess-applayer-tx 选项强制检测引擎将事务与告警关联。
此事务不保证是相关事务,具体取决于使用场景及"相关"定义。
警告:若存在多个活跃事务,则不会选择任何事务。 此举旨在减少记录无关数据的概率,可能导致某些情况下告警无元数据记录。
此类告警事件将标记 tx_guessed: true。
元数据配置:
- alert:
#payload: yes # 启用Base64格式负载转储
#payload-buffer-size: 4kb # 输出到eve-log的最大负载缓冲区大小
#payload-printable: yes # 启用可打印(有损)格式负载转储
#payload-length: yes # 启用负载长度转储(含间隙)
#packet: yes # 启用数据包转储(不含流分段)
#http-body: yes # 需元数据;启用HTTP正文Base64转储
#http-body-printable: yes # 需元数据;启用HTTP正文可打印格式转储
# 元数据:
# 包含解码后的应用层(如http、dns)
#app-layer: true
# 记录流记录的当前状态
#flow: true
#rule:
# 以结构化格式记录规则中的元数据字段
#metadata: true
# 记录原始规则文本
#raw: false
# 包含规则引用信息
#reference: false
19.1.1.4. 异常¶
异常记录处理具有意外或异常值的数据包时创建的事件。包括协议值错误、协议长度值错误等可疑数据包条件。流正常进展中也可能出现其他条件;这些称为 stream 事件,包含值错误或顺序异常的控制序列。
异常按类型报告和配置:
解码异常
流异常
应用层异常
元数据配置:
- anomaly:
# 异常日志记录描述意外条件,如截断包、
# 无效IP/UDP/TCP长度值等使数据包无法继续处理的事件,
# 或已建立流上的意外行为。高频异常网络可能导致数据包处理性能下降。
#
# 报告以下异常:
# 1. 解码异常:解码单个数据包时检测到的值和条件。包括底层协议长度的无效或意外值。
# 2. 流异常:包括流相关事件(TCP三次握手问题、意外序列号等)。
# 3. 应用层异常:指应用层特定条件下意外、无效或与监控状态不符的情况。
#
# 默认禁用异常日志。启用后,默认开启应用层异常报告。
#
# 选择一种或多种异常日志类型,及是否记录数据包异常的包头信息。
types:
#decode: no
#stream: no
#applayer: yes
#packethdr: no
19.1.1.5. HTTP¶
HTTP事务日志。
配置:
- http:
extended: yes # 启用扩展日志信息
# custom允许在eve-log中添加额外HTTP字段
# 取消注释后,下方示例将添加三个额外字段
#custom: [Accept-Encoding, Accept-Language, Authorization]
# 将此值设为{both, request, response}之一以转储
# 每个HTTP请求和/或响应的所有头部
# dump-all-headers: [both, request, response]
自定义字段列表:
custom 选项中可使用两列的值。HTTP Header 列不区分大小写。
19.1.1.6. DNS¶
Note
Suricata 7.0起已移除v1 EVE DNS格式。
版本2 EVE DNS将在Suricata 9中移除。
DNS请求和响应分别记录为独立条目。
YAML配置:
- dns:
#version: 3
# 启用/禁用此记录器。默认:启用。
#enabled: yes
# 控制请求和响应记录:
# - requests: 记录DNS查询
# - responses: 记录DNS应答
# 默认两者均记录。
#requests: no
#responses: no
# 应答记录格式:
# - detailed: 每个应答单独条目
# - grouped: 按类型聚合应答
# 默认:全部
#formats: [detailed, grouped]
# 基于查询类型的记录类型。
# 默认:全部。
#types: [a, aaaa, cname, mx, ns, ptr, txt]
19.1.1.7. TLS¶
每个TLS会话记录一条日志。
YAML配置:
- tls:
extended: yes # 启用扩展日志信息
# custom用于控制包含哪些TLS字段
#custom: [subject, issuer, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s, ja4]
默认记录证书主题和颁发者。启用 extended 后日志更详细。
通过 custom 可选择记录哪些TLS字段。
注意:这将禁用 ``extended`` 日志。
19.1.1.8. ARP¶
ARP请求和响应分别记录为独立条目。
YAML配置:
- arp:
enabled: no
默认禁用此记录器,因ARP可能生成大量事件。
19.1.1.9. Netflow¶
Netflow记录与流记录类似,但为单向记录(流记录为双向)。因此Netflow记录数量是流记录的两倍。
默认禁用Netflow记录。
YAML配置:
#- netflow
启用Netflow:
- netflow:
enabled: yes
19.1.1.10. MQTT¶
EVE-JSON的MQTT输出每个事务为一个对象,含通用及类型特定字段。可配置两方面:
YAML配置:
- mqtt:
# passwords: yes # 启用密码明文输出
# string-log-limit: 1kb # 记录字符串的字节大小限制。
# 可用kb, mb, gb单位。纯数字视为字节。
# 默认1KB。设为0禁用限制。
# 注意大小也受最大解析消息限制(参见
# 应用层配置)
默认输出明文密码且不限制消息负载大小。根据解析器使用场景(公开输出、频繁二进制传输等),可针对常规 mqtt 事件进行配置。
19.1.1.11. 丢包记录¶
丢包记录引擎丢弃数据包时生成的事件类型。
配置:
- drop:
alerts: yes # 记录触发丢包的告警
flows: all # start或all:'start'仅记录每个流方向的首次丢包。
# all记录每个被丢包。
# 启用记录引擎对数据包的最终处置动作
# (若因'reject'导致丢包将显示更多信息)
verdict: yes
19.1.1.12. 统计¶
19.1.1.12.1. 零值计数器¶
人性化的 stats.log 输出默认仅记录非零计数器,而EVE统计日志默认记录所有启用的计数器,可能导致日志冗长。
为减小日志体积,可设 null-values 为 false。注意这可能影响零值有意义的统计信息的可见性。
配置:
- stats:
# 不记录零值统计计数器。默认:true
#null-values: false # False将不记录值为0的统计计数器
19.1.1.13. 文件名中的日期修饰符¶
可在eve-log文件名中使用日期修饰符。
outputs:
- eve-log:
filename: eve-%s.json
上例在文件名中添加纪元时间。支持C库所有日期修饰符。参见 strftime 手册页了解全部支持修饰符。
19.1.1.14. 多线程文件输出¶
默认所有输出写入outputs节指定的文件名。threaded 选项使每个输出线程写入独立文件。此时 filename 将包含唯一标识符。
启用 threaded 后,输出将分散到多个文件——需将所有文件内容聚合处理。
outputs:
- eve-log:
filename: eve.json
threaded: on
此例使每个Suricata线程写入各自的"eve.json"文件。文件名通过添加唯一标识符构造,如 eve.7.json。
19.1.1.15. 日志轮转¶
Eve-log可配置基于时间的轮转。
outputs:
- eve-log:
filename: eve-%Y-%m-%d-%H:%M.json
rotate-interval: minute
上例每分钟创建新日志文件,文件名含时间戳。其他支持的 rotate-interval 值为 hour 和 day。
此外,还可将 rotate-interval 设为相对值。例如每X秒轮转日志文件。
outputs:
- eve-log:
filename: eve-%Y-%m-%d-%H:%M:%S.json
rotate-interval: 30s
上例每30秒轮转eve-log。可替换为 ``30m``(30分钟)、``30h``(30小时)、``30d``(30天)或 ``30w``(30周)。
19.1.1.16. 多记录器实例¶
可配置多个'EVE'实例,例如以下配置有效:
outputs:
- eve-log:
enabled: yes
type: file
filename: eve-ips.json
types:
- alert
- drop
- eve-log:
enabled: yes
type: file
filename: eve-nsm.json
types:
- http
- dns
- tls
此处告警和丢包记录到'eve-ips.json',而http、dns和tls记录到'eve-nsm.json'。
除 drop 外,可指定多个相同类型的记录器,但 drop 仅能使用一次。
Note
独立json记录器(如alert-json-log、dns-json-log等)的使用已弃用, 将于2020年6月移除。请改用上述多eve-log实例。详见`弃用政策`_。
19.1.1.17. 文件权限¶
可为每个记录器单独设置日志文件权限。filemode 用于控制日志文件权限,例如:
outputs:
- eve-log:
enabled: yes
filename: eve.json
filemode: 600
上例将 eve.json 的文件权限设为600,即仅文件所有者可读写。
19.1.1.18. JSON标志¶
可通过多个标志控制EVE中的JSON输出:
outputs:
- eve-log:
json:
# 按插入顺序排序对象键
preserve-order: yes
# 使输出更紧凑
compact: yes
# 转义ASCII范围外的所有Unicode字符
ensure-ascii: yes
# 用'\/'转义字符串中的'/'字符
escape-slash: yes
这些标志默认均启用,可按EVE实例修改。
19.1.1.19. 社区流ID¶
Suricata常与Bro/Zeek等工具配合使用。在eve-log节启用community-id选项会为每条输出添加 community_id 字段。
示例:
{
"timestamp": "2003-12-16T13:21:44.891921+0000",
"flow_id": 1332028388187153,
"pcap_cnt": 1,
"event_type": "alert",
...
"community_id": "1:LQU9qZlK+B5F3KDmev6m5PMibrg=",
"alert": {
"action": "allowed",
"gid": 1,
"signature_id": 1,
},