Suricata fields

Module for handling the EVE JSON logs produced by Suricata.

suricata

Fields from the Suricata EVE log file.

eve

Fields exported by the EVE JSON logs

suricata.eve.event_type
type: keyword
suricata.eve.app_proto_orig
type: keyword
suricata.eve.tcp.tcp_flags
type: keyword
suricata.eve.tcp.psh
type: boolean
suricata.eve.tcp.tcp_flags_tc
type: keyword
suricata.eve.tcp.ack
type: boolean
suricata.eve.tcp.syn
type: boolean
suricata.eve.tcp.state
type: keyword
suricata.eve.tcp.tcp_flags_ts
type: keyword
suricata.eve.tcp.rst
type: boolean
suricata.eve.tcp.fin
type: boolean
suricata.eve.fileinfo.sha1
type: keyword
suricata.eve.fileinfo.filename

type: alias

alias to: file.path

suricata.eve.fileinfo.tx_id
type: long
suricata.eve.fileinfo.state
type: keyword
suricata.eve.fileinfo.stored
type: boolean
suricata.eve.fileinfo.gaps
type: boolean
suricata.eve.fileinfo.sha256
type: keyword
suricata.eve.fileinfo.md5
type: keyword
suricata.eve.fileinfo.size

type: alias

alias to: file.size

suricata.eve.icmp_type
type: long
suricata.eve.dest_port

type: alias

alias to: destination.port

suricata.eve.src_port

type: alias

alias to: source.port

suricata.eve.proto

type: alias

alias to: network.transport

suricata.eve.pcap_cnt
type: long
suricata.eve.src_ip

type: alias

alias to: source.ip

suricata.eve.dns.type
type: keyword
suricata.eve.dns.rrtype
type: keyword
suricata.eve.dns.rrname
type: keyword
suricata.eve.dns.rdata
type: keyword
suricata.eve.dns.tx_id
type: long
suricata.eve.dns.ttl
type: long
suricata.eve.dns.rcode
type: keyword
suricata.eve.dns.id
type: long
suricata.eve.flow_id
type: keyword
suricata.eve.email.status
type: keyword
suricata.eve.dest_ip

type: alias

alias to: destination.ip

suricata.eve.icmp_code
type: long
suricata.eve.http.status

type: alias

alias to: http.response.status_code

suricata.eve.http.redirect
type: keyword
suricata.eve.http.http_user_agent

type: alias

alias to: user_agent.original

suricata.eve.http.protocol
type: keyword
suricata.eve.http.http_refer

type: alias

alias to: http.request.referrer

suricata.eve.http.url

type: alias

alias to: url.original

suricata.eve.http.hostname

type: alias

alias to: url.domain

suricata.eve.http.length

type: alias

alias to: http.response.body.bytes

suricata.eve.http.http_method

type: alias

alias to: http.request.method

suricata.eve.http.http_content_type
type: keyword
suricata.eve.timestamp

type: alias

alias to: @timestamp

suricata.eve.in_iface
type: keyword
suricata.eve.alert.category
type: keyword
suricata.eve.alert.severity

type: alias

alias to: event.severity

suricata.eve.alert.rev
type: long
suricata.eve.alert.gid
type: long
suricata.eve.alert.signature
type: keyword
suricata.eve.alert.action

type: alias

alias to: event.outcome

suricata.eve.alert.signature_id
type: long
suricata.eve.ssh.client.proto_version
type: keyword
suricata.eve.ssh.client.software_version
type: keyword
suricata.eve.ssh.server.proto_version
type: keyword
suricata.eve.ssh.server.software_version
type: keyword
suricata.eve.stats.capture.kernel_packets
type: long
suricata.eve.stats.capture.kernel_drops
type: long
suricata.eve.stats.capture.kernel_ifdrops
type: long
suricata.eve.stats.uptime
type: long
suricata.eve.stats.detect.alert
type: long
suricata.eve.stats.http.memcap
type: long
suricata.eve.stats.http.memuse
type: long
suricata.eve.stats.file_store.open_files
type: long
suricata.eve.stats.defrag.max_frag_hits
type: long
suricata.eve.stats.defrag.ipv4.timeouts
type: long
suricata.eve.stats.defrag.ipv4.fragments
type: long
suricata.eve.stats.defrag.ipv4.reassembled
type: long
suricata.eve.stats.defrag.ipv6.timeouts
type: long
suricata.eve.stats.defrag.ipv6.fragments
type: long
suricata.eve.stats.defrag.ipv6.reassembled
type: long
suricata.eve.stats.flow.tcp_reuse
type: long
suricata.eve.stats.flow.udp
type: long
suricata.eve.stats.flow.memcap
type: long
suricata.eve.stats.flow.emerg_mode_entered
type: long
suricata.eve.stats.flow.emerg_mode_over
type: long
suricata.eve.stats.flow.tcp
type: long
suricata.eve.stats.flow.icmpv6
type: long
suricata.eve.stats.flow.icmpv4
type: long
suricata.eve.stats.flow.spare
type: long
suricata.eve.stats.flow.memuse
type: long
suricata.eve.stats.tcp.pseudo_failed
type: long
suricata.eve.stats.tcp.ssn_memcap_drop
type: long
suricata.eve.stats.tcp.insert_data_overlap_fail
type: long
suricata.eve.stats.tcp.sessions
type: long
suricata.eve.stats.tcp.pseudo
type: long
suricata.eve.stats.tcp.synack
type: long
suricata.eve.stats.tcp.insert_data_normal_fail
type: long
suricata.eve.stats.tcp.syn
type: long
suricata.eve.stats.tcp.memuse
type: long
suricata.eve.stats.tcp.invalid_checksum
type: long
suricata.eve.stats.tcp.segment_memcap_drop
type: long
suricata.eve.stats.tcp.overlap
type: long
suricata.eve.stats.tcp.insert_list_fail
type: long
suricata.eve.stats.tcp.rst
type: long
suricata.eve.stats.tcp.stream_depth_reached
type: long
suricata.eve.stats.tcp.reassembly_memuse
type: long
suricata.eve.stats.tcp.reassembly_gap
type: long
suricata.eve.stats.tcp.overlap_diff_data
type: long
suricata.eve.stats.tcp.no_flow
type: long
suricata.eve.stats.decoder.avg_pkt_size
type: long
suricata.eve.stats.decoder.bytes
type: long
suricata.eve.stats.decoder.tcp
type: long
suricata.eve.stats.decoder.raw
type: long
suricata.eve.stats.decoder.ppp
type: long
suricata.eve.stats.decoder.vlan_qinq
type: long
suricata.eve.stats.decoder.null
type: long
suricata.eve.stats.decoder.ltnull.unsupported_type
type: long
suricata.eve.stats.decoder.ltnull.pkt_too_small
type: long
suricata.eve.stats.decoder.invalid
type: long
suricata.eve.stats.decoder.gre
type: long
suricata.eve.stats.decoder.ipv4
type: long
suricata.eve.stats.decoder.ipv6
type: long
suricata.eve.stats.decoder.pkts
type: long
suricata.eve.stats.decoder.ipv6_in_ipv6
type: long
suricata.eve.stats.decoder.ipraw.invalid_ip_version
type: long
suricata.eve.stats.decoder.pppoe
type: long
suricata.eve.stats.decoder.udp
type: long
suricata.eve.stats.decoder.dce.pkt_too_small
type: long
suricata.eve.stats.decoder.vlan
type: long
suricata.eve.stats.decoder.sctp
type: long
suricata.eve.stats.decoder.max_pkt_size
type: long
suricata.eve.stats.decoder.teredo
type: long
suricata.eve.stats.decoder.mpls
type: long
suricata.eve.stats.decoder.sll
type: long
suricata.eve.stats.decoder.icmpv6
type: long
suricata.eve.stats.decoder.icmpv4
type: long
suricata.eve.stats.decoder.erspan
type: long
suricata.eve.stats.decoder.ethernet
type: long
suricata.eve.stats.decoder.ipv4_in_ipv6
type: long
suricata.eve.stats.decoder.ieee8021ah
type: long
suricata.eve.stats.dns.memcap_global
type: long
suricata.eve.stats.dns.memcap_state
type: long
suricata.eve.stats.dns.memuse
type: long
suricata.eve.stats.flow_mgr.rows_busy
type: long
suricata.eve.stats.flow_mgr.flows_timeout
type: long
suricata.eve.stats.flow_mgr.flows_notimeout
type: long
suricata.eve.stats.flow_mgr.rows_skipped
type: long
suricata.eve.stats.flow_mgr.closed_pruned
type: long
suricata.eve.stats.flow_mgr.new_pruned
type: long
suricata.eve.stats.flow_mgr.flows_removed
type: long
suricata.eve.stats.flow_mgr.bypassed_pruned
type: long
suricata.eve.stats.flow_mgr.est_pruned
type: long
suricata.eve.stats.flow_mgr.flows_timeout_inuse
type: long
suricata.eve.stats.flow_mgr.flows_checked
type: long
suricata.eve.stats.flow_mgr.rows_maxlen
type: long
suricata.eve.stats.flow_mgr.rows_checked
type: long
suricata.eve.stats.flow_mgr.rows_empty
type: long
suricata.eve.stats.app_layer.flow.tls
type: long
suricata.eve.stats.app_layer.flow.ftp
type: long
suricata.eve.stats.app_layer.flow.http
type: long
suricata.eve.stats.app_layer.flow.failed_udp
type: long
suricata.eve.stats.app_layer.flow.dns_udp
type: long
suricata.eve.stats.app_layer.flow.dns_tcp
type: long
suricata.eve.stats.app_layer.flow.smtp
type: long
suricata.eve.stats.app_layer.flow.failed_tcp
type: long
suricata.eve.stats.app_layer.flow.msn
type: long
suricata.eve.stats.app_layer.flow.ssh
type: long
suricata.eve.stats.app_layer.flow.imap
type: long
suricata.eve.stats.app_layer.flow.dcerpc_udp
type: long
suricata.eve.stats.app_layer.flow.dcerpc_tcp
type: long
suricata.eve.stats.app_layer.flow.smb
type: long
suricata.eve.stats.app_layer.tx.tls
type: long
suricata.eve.stats.app_layer.tx.ftp
type: long
suricata.eve.stats.app_layer.tx.http
type: long
suricata.eve.stats.app_layer.tx.dns_udp
type: long
suricata.eve.stats.app_layer.tx.dns_tcp
type: long
suricata.eve.stats.app_layer.tx.smtp
type: long
suricata.eve.stats.app_layer.tx.ssh
type: long
suricata.eve.stats.app_layer.tx.dcerpc_udp
type: long
suricata.eve.stats.app_layer.tx.dcerpc_tcp
type: long
suricata.eve.stats.app_layer.tx.smb
type: long
suricata.eve.tls.notbefore
type: date
suricata.eve.tls.issuerdn
type: keyword
suricata.eve.tls.sni
type: keyword
suricata.eve.tls.version
type: keyword
suricata.eve.tls.session_resumed
type: boolean
suricata.eve.tls.fingerprint
type: keyword
suricata.eve.tls.serial
type: keyword
suricata.eve.tls.notafter
type: date
suricata.eve.tls.subject
type: keyword
suricata.eve.app_proto_ts
type: keyword
suricata.eve.flow.bytes_toclient

type: alias

alias to: destination.bytes

suricata.eve.flow.start

type: alias

alias to: event.start

suricata.eve.flow.pkts_toclient

type: alias

alias to: destination.packets

suricata.eve.flow.age
type: long
suricata.eve.flow.state
type: keyword
suricata.eve.flow.bytes_toserver

type: alias

alias to: source.bytes

suricata.eve.flow.reason
type: keyword
suricata.eve.flow.pkts_toserver

type: alias

alias to: source.packets

suricata.eve.flow.end
type: date
suricata.eve.flow.alerted
type: boolean
suricata.eve.app_proto

type: alias

alias to: network.protocol

suricata.eve.tx_id
type: long
suricata.eve.app_proto_tc
type: keyword
suricata.eve.smtp.rcpt_to
type: keyword
suricata.eve.smtp.mail_from
type: keyword
suricata.eve.smtp.helo
type: keyword
suricata.eve.app_proto_expected
type: keyword