Configure the type of alert (and other) logging you would like.
Valid values for <NAME> are e. g. fast
, eve-log
, syslog
, file-store
, ...
fast
: a line based alerts log similar to Snort's fast.logeve-log
: Extensible Event Format (nicknamed EVE) event log in JSON format
For more details regarding the configuration, checkout the shipped suricata.yaml
nix-shell -p suricata yq coreutils-full --command 'yq < $(dirname $(which suricata))/../etc/suricata/suricata.yaml'
and the suricata documentation.
Declarations
Type
null or (list of attribute set of (YAML value))
Default
null
Example
[
{
fast = {
enabled = "yes";
filename = "fast.log";
append = "yes";
};
}
{
eve-log = {
enabled = "yes";
filetype = "regular";
filename = "eve.json";
community-id = true;
types = [
{
alert.tagged-packets = "yes";
}
];
};
}
];