aboutsummaryrefslogtreecommitdiffstats
path: root/framework/src/suricata/suricata.yaml.in
diff options
context:
space:
mode:
Diffstat (limited to 'framework/src/suricata/suricata.yaml.in')
-rw-r--r--framework/src/suricata/suricata.yaml.in49
1 files changed, 44 insertions, 5 deletions
diff --git a/framework/src/suricata/suricata.yaml.in b/framework/src/suricata/suricata.yaml.in
index 56d4d362..af54b527 100644
--- a/framework/src/suricata/suricata.yaml.in
+++ b/framework/src/suricata/suricata.yaml.in
@@ -44,9 +44,13 @@ host-mode: auto
# user: suri
# group: suri
+# Some logging module will use that name in event as identifier. The default
+# value is the hostname
+#sensor-name: suricata
+
# Default pid file.
# Will use this file if no --pidfile in command options.
-#pid-file: /var/run/suricata.pid
+#pid-file: @e_rundir@suricata.pid
# Daemon working directory
# Suricata will change directory to this one if provided
@@ -92,7 +96,7 @@ outputs:
# Extensible Event Format (nicknamed EVE) event log in JSON format
- eve-log:
enabled: yes
- filetype: regular #regular|syslog|unix_dgram|unix_stream
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
filename: eve.json
#prefix: "@cee: " # prefix to prepend to each log entry
# the following are valid when type: syslog above
@@ -100,6 +104,18 @@ outputs:
#facility: local5
#level: Info ## possible levels: Emergency, Alert, Critical,
## Error, Warning, Notice, Info, Debug
+ #redis:
+ # server: 127.0.0.1
+ # port: 6379
+ # mode: list ## possible values: list (default), channel
+ # key: suricata ## key or channel to use (default to suricata)
+ # Redis pipelining set up. This will enable to only do a query every
+ # 'batch-size' events. This should lower the latency induced by network
+ # connection at the cost of some memory. There is no flushing implemented
+ # so this setting as to be reserved to high traffic suricata.
+ # pipelining:
+ # enabled: yes ## set enable to yes to enable query pipelining
+ # batch-size: 10 ## number of entry to keep in buffer
types:
- alert:
# payload: yes # enable dumping payload in Base64
@@ -108,6 +124,7 @@ outputs:
# http: yes # enable dumping of http fields
# tls: yes # enable dumping of tls fields
# ssh: yes # enable dumping of ssh fields
+ # smtp: yes # enable dumping of smtp fields
# HTTP X-Forwarded-For support by adding an extra field or overwriting
# the source or destination IP address (depending on flow direction)
@@ -139,7 +156,19 @@ outputs:
force-md5: no # force logging of md5 checksums
#- drop:
# alerts: no # log alerts that caused drops
- - smtp
+ - smtp:
+ #extended: yes # enable this for extended logging information
+ # this includes: bcc, message-id, subject, x_mailer, user-agent
+ # custom fields logging from the list:
+ # reply-to, bcc, message-id, subject, x-mailer, user-agent, received,
+ # x-originating-ip, in-reply-to, references, importance, priority,
+ # sensitivity, organization, content-md5, date
+ #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc]
+ # output md5 of fields: body, subject
+ # for the body you need to set app-layer.protocols.smtp.mime.body-md5
+ # to yes
+ #md5: [body, subject]
+
- ssh
- stats:
totals: yes # stats for all threads merged together
@@ -162,6 +191,10 @@ outputs:
# Sensor ID field of unified2 alerts.
#sensor-id: 0
+ # Include payload of packets related to alerts. Defaults to true, set to
+ # false if payload is not required.
+ #payload: yes
+
# HTTP X-Forwarded-For support by adding the unified2 extra header or
# overwriting the source or destination IP address (depending on flow
# direction) with the one reported in the X-Forwarded-For HTTP header.
@@ -947,7 +980,7 @@ logging:
# type: json
- file:
enabled: no
- filename: /var/log/suricata.log
+ filename: @e_logdir@suricata.log
# type: json
- syslog:
enabled: no
@@ -1291,6 +1324,9 @@ app-layer:
# Extract URLs and save in state data structure
extract-urls: yes
+ # Set to yes to compute the md5 of the mail body. You will then
+ # be able to journalize it.
+ body-md5: no
# Configure inspected-tracker for file_data keyword
inspected-tracker:
content-limit: 1000
@@ -1475,9 +1511,12 @@ profiling:
# Sort options: ticks, avgticks, checks, matches, maxticks
sort: avgticks
- # Limit the number of items printed at exit.
+ # Limit the number of items printed at exit (ignored for json).
limit: 100
+ # output to json
+ json: true
+
# per keyword profiling
keywords:
enabled: yes