Suricata fields

Module for handling the EVE JSON logs produced by Suricata.

suricata

Fields from the Suricata EVE log file.

eve

Fields exported by the EVE JSON logs

suricata.eve.event_type

type: keyword

suricata.eve.app_proto_orig

type: keyword

suricata.eve.tcp.tcp_flags

type: keyword

suricata.eve.tcp.psh

type: boolean

suricata.eve.tcp.tcp_flags_tc

type: keyword

suricata.eve.tcp.ack

type: boolean

suricata.eve.tcp.syn

type: boolean

suricata.eve.tcp.state

type: keyword

suricata.eve.tcp.tcp_flags_ts

type: keyword

suricata.eve.tcp.rst

type: boolean

suricata.eve.tcp.fin

type: boolean

suricata.eve.fileinfo.sha1

type: keyword

suricata.eve.fileinfo.tx_id

type: long

suricata.eve.fileinfo.state

type: keyword

suricata.eve.fileinfo.stored

type: boolean

suricata.eve.fileinfo.gaps

type: boolean

suricata.eve.fileinfo.sha256

type: keyword

suricata.eve.fileinfo.md5

type: keyword

suricata.eve.icmp_type

type: long

suricata.eve.pcap_cnt

type: long

suricata.eve.dns.type

type: keyword

suricata.eve.dns.rrtype

type: keyword

suricata.eve.dns.rrname

type: keyword

suricata.eve.dns.rdata

type: keyword

suricata.eve.dns.tx_id

type: long

suricata.eve.dns.ttl

type: long

suricata.eve.dns.rcode

type: keyword

suricata.eve.dns.id

type: long

suricata.eve.flow_id

type: keyword

suricata.eve.email.status

type: keyword

suricata.eve.icmp_code

type: long

suricata.eve.http.redirect

type: keyword

suricata.eve.http.protocol

type: keyword

suricata.eve.http.http_content_type

type: keyword

suricata.eve.in_iface

type: keyword

suricata.eve.alert.metadata

Metadata about the alert.

type: flattened

suricata.eve.alert.category

type: keyword

suricata.eve.alert.rev

type: long

suricata.eve.alert.gid

type: long

suricata.eve.alert.signature

type: keyword

suricata.eve.alert.signature_id

type: long

suricata.eve.alert.protocols

type: keyword

suricata.eve.alert.attack_target

type: keyword

suricata.eve.alert.capec_id

type: keyword

suricata.eve.alert.cwe_id

type: keyword

suricata.eve.alert.malware

type: keyword

suricata.eve.alert.cve

type: keyword

suricata.eve.alert.cvss_v2_base

type: keyword

suricata.eve.alert.cvss_v2_temporal

type: keyword

suricata.eve.alert.cvss_v3_base

type: keyword

suricata.eve.alert.cvss_v3_temporal

type: keyword

suricata.eve.alert.priority

type: keyword

suricata.eve.alert.hostile

type: keyword

suricata.eve.alert.infected

type: keyword

suricata.eve.alert.created_at

type: date

suricata.eve.alert.updated_at

type: date

suricata.eve.alert.classtype

type: keyword

suricata.eve.alert.rule_source

type: keyword

suricata.eve.alert.sid

type: keyword

suricata.eve.alert.affected_product

type: keyword

suricata.eve.alert.deployment

type: keyword

suricata.eve.alert.former_category

type: keyword

suricata.eve.alert.mitre_tool_id

type: keyword

suricata.eve.alert.performance_impact

type: keyword

suricata.eve.alert.signature_severity

type: keyword

suricata.eve.alert.tag

type: keyword

suricata.eve.ssh.client.proto_version

type: keyword

suricata.eve.ssh.client.software_version

type: keyword

suricata.eve.ssh.server.proto_version

type: keyword

suricata.eve.ssh.server.software_version

type: keyword

suricata.eve.stats.capture.kernel_packets

type: long

suricata.eve.stats.capture.kernel_drops

type: long

suricata.eve.stats.capture.kernel_ifdrops

type: long

suricata.eve.stats.uptime

type: long

suricata.eve.stats.detect.alert

type: long

suricata.eve.stats.http.memcap

type: long

suricata.eve.stats.http.memuse

type: long

suricata.eve.stats.file_store.open_files

type: long

suricata.eve.stats.defrag.max_frag_hits

type: long

suricata.eve.stats.defrag.ipv4.timeouts

type: long

suricata.eve.stats.defrag.ipv4.fragments

type: long

suricata.eve.stats.defrag.ipv4.reassembled

type: long

suricata.eve.stats.defrag.ipv6.timeouts

type: long

suricata.eve.stats.defrag.ipv6.fragments

type: long

suricata.eve.stats.defrag.ipv6.reassembled

type: long

suricata.eve.stats.flow.tcp_reuse

type: long

suricata.eve.stats.flow.udp

type: long

suricata.eve.stats.flow.memcap

type: long

suricata.eve.stats.flow.emerg_mode_entered

type: long

suricata.eve.stats.flow.emerg_mode_over

type: long

suricata.eve.stats.flow.tcp

type: long

suricata.eve.stats.flow.icmpv6

type: long

suricata.eve.stats.flow.icmpv4

type: long

suricata.eve.stats.flow.spare

type: long

suricata.eve.stats.flow.memuse

type: long

suricata.eve.stats.tcp.pseudo_failed

type: long

suricata.eve.stats.tcp.ssn_memcap_drop

type: long

suricata.eve.stats.tcp.insert_data_overlap_fail

type: long

suricata.eve.stats.tcp.sessions

type: long

suricata.eve.stats.tcp.pseudo

type: long

suricata.eve.stats.tcp.synack

type: long

suricata.eve.stats.tcp.insert_data_normal_fail

type: long

suricata.eve.stats.tcp.syn

type: long

suricata.eve.stats.tcp.memuse

type: long

suricata.eve.stats.tcp.invalid_checksum

type: long

suricata.eve.stats.tcp.segment_memcap_drop

type: long

suricata.eve.stats.tcp.overlap

type: long

suricata.eve.stats.tcp.insert_list_fail

type: long

suricata.eve.stats.tcp.rst

type: long

suricata.eve.stats.tcp.stream_depth_reached

type: long

suricata.eve.stats.tcp.reassembly_memuse

type: long

suricata.eve.stats.tcp.reassembly_gap

type: long

suricata.eve.stats.tcp.overlap_diff_data

type: long

suricata.eve.stats.tcp.no_flow

type: long

suricata.eve.stats.decoder.avg_pkt_size

type: long

suricata.eve.stats.decoder.bytes

type: long

suricata.eve.stats.decoder.tcp

type: long

suricata.eve.stats.decoder.raw

type: long

suricata.eve.stats.decoder.ppp

type: long

suricata.eve.stats.decoder.vlan_qinq

type: long

suricata.eve.stats.decoder.null

type: long

suricata.eve.stats.decoder.ltnull.unsupported_type

type: long

suricata.eve.stats.decoder.ltnull.pkt_too_small

type: long

suricata.eve.stats.decoder.invalid

type: long

suricata.eve.stats.decoder.gre

type: long

suricata.eve.stats.decoder.ipv4

type: long

suricata.eve.stats.decoder.ipv6

type: long

suricata.eve.stats.decoder.pkts

type: long

suricata.eve.stats.decoder.ipv6_in_ipv6

type: long

suricata.eve.stats.decoder.ipraw.invalid_ip_version

type: long

suricata.eve.stats.decoder.pppoe

type: long

suricata.eve.stats.decoder.udp

type: long

suricata.eve.stats.decoder.dce.pkt_too_small

type: long

suricata.eve.stats.decoder.vlan

type: long

suricata.eve.stats.decoder.sctp

type: long

suricata.eve.stats.decoder.max_pkt_size

type: long

suricata.eve.stats.decoder.teredo

type: long

suricata.eve.stats.decoder.mpls

type: long

suricata.eve.stats.decoder.sll

type: long

suricata.eve.stats.decoder.icmpv6

type: long

suricata.eve.stats.decoder.icmpv4

type: long

suricata.eve.stats.decoder.erspan

type: long

suricata.eve.stats.decoder.ethernet

type: long

suricata.eve.stats.decoder.ipv4_in_ipv6

type: long

suricata.eve.stats.decoder.ieee8021ah

type: long

suricata.eve.stats.dns.memcap_global

type: long

suricata.eve.stats.dns.memcap_state

type: long

suricata.eve.stats.dns.memuse

type: long

suricata.eve.stats.flow_mgr.rows_busy

type: long

suricata.eve.stats.flow_mgr.flows_timeout

type: long

suricata.eve.stats.flow_mgr.flows_notimeout

type: long

suricata.eve.stats.flow_mgr.rows_skipped

type: long

suricata.eve.stats.flow_mgr.closed_pruned

type: long

suricata.eve.stats.flow_mgr.new_pruned

type: long

suricata.eve.stats.flow_mgr.flows_removed

type: long

suricata.eve.stats.flow_mgr.bypassed_pruned

type: long

suricata.eve.stats.flow_mgr.est_pruned

type: long

suricata.eve.stats.flow_mgr.flows_timeout_inuse

type: long

suricata.eve.stats.flow_mgr.flows_checked

type: long

suricata.eve.stats.flow_mgr.rows_maxlen

type: long

suricata.eve.stats.flow_mgr.rows_checked

type: long

suricata.eve.stats.flow_mgr.rows_empty

type: long

suricata.eve.stats.app_layer.flow.tls

type: long

suricata.eve.stats.app_layer.flow.ftp

type: long

suricata.eve.stats.app_layer.flow.http

type: long

suricata.eve.stats.app_layer.flow.failed_udp

type: long

suricata.eve.stats.app_layer.flow.dns_udp

type: long

suricata.eve.stats.app_layer.flow.dns_tcp

type: long

suricata.eve.stats.app_layer.flow.smtp

type: long

suricata.eve.stats.app_layer.flow.failed_tcp

type: long

suricata.eve.stats.app_layer.flow.msn

type: long

suricata.eve.stats.app_layer.flow.ssh

type: long

suricata.eve.stats.app_layer.flow.imap

type: long

suricata.eve.stats.app_layer.flow.dcerpc_udp

type: long

suricata.eve.stats.app_layer.flow.dcerpc_tcp

type: long

suricata.eve.stats.app_layer.flow.smb

type: long

suricata.eve.stats.app_layer.tx.tls

type: long

suricata.eve.stats.app_layer.tx.ftp

type: long

suricata.eve.stats.app_layer.tx.http

type: long

suricata.eve.stats.app_layer.tx.dns_udp

type: long

suricata.eve.stats.app_layer.tx.dns_tcp

type: long

suricata.eve.stats.app_layer.tx.smtp

type: long

suricata.eve.stats.app_layer.tx.ssh

type: long

suricata.eve.stats.app_layer.tx.dcerpc_udp

type: long

suricata.eve.stats.app_layer.tx.dcerpc_tcp

type: long

suricata.eve.stats.app_layer.tx.smb

type: long

suricata.eve.tls.notbefore

type: date

suricata.eve.tls.issuerdn

type: keyword

suricata.eve.tls.sni

type: keyword

suricata.eve.tls.version

type: keyword

suricata.eve.tls.session_resumed

type: boolean

suricata.eve.tls.fingerprint

type: keyword

suricata.eve.tls.serial

type: keyword

suricata.eve.tls.notafter

type: date

suricata.eve.tls.subject

type: keyword

suricata.eve.tls.ja3s.string

type: keyword

suricata.eve.tls.ja3s.hash

type: keyword

suricata.eve.tls.ja3.string

type: keyword

suricata.eve.tls.ja3.hash

type: keyword

suricata.eve.app_proto_ts

type: keyword

suricata.eve.flow.age

type: long

suricata.eve.flow.state

type: keyword

suricata.eve.flow.reason

type: keyword

suricata.eve.flow.alerted

type: boolean

suricata.eve.tx_id

type: long

suricata.eve.app_proto_tc

type: keyword

suricata.eve.smtp.rcpt_to

type: keyword

suricata.eve.smtp.mail_from

type: keyword

suricata.eve.smtp.helo

type: keyword

suricata.eve.app_proto_expected

type: keyword