Feature #2935: Support for multiple-logger for drop eve-log - Suricata - Open Information Security Foundation

Actions

Copy link

Feature #2935

open

Support for multiple-logger for drop eve-log

Added by Ruben Louis over 5 years ago. Updated over 5 years ago.

Status:

New

Priority:

Normal

Assignee:

Community Ticket

Target version:

TBD

Effort:

Difficulty:

Label:

Description

Hello according to the documetation, https://github.com/OISF/suricata/blob/d6903e70c1b653984ca95f8808755efbc6a9ece4/doc/userguide/output/eve/eve-json-output.rst#multiple-logger-instances, one cannot have multiple-logger instances for the drop eve-log.
Is this something that could be implemented?

History
Notes
Property changes

Actions

Copy link

Updated by Victor Julien over 5 years ago

Assignee set to Community Ticket
Target version set to TBD

The issue is that the tracking of the flow logging 'flows: all|start' is done using a flag in the flow. Since the first logger would set the flag, the 2nd would not log as the flag is already set. Working around this is not impossible but would require some thought.

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Feature #2935

Support for multiple-logger for drop eve-log

Updated by Victor Julien over 5 years ago