Suricata fieldsedit

Module for handling the EVE JSON logs produced by Suricata.

suricata fieldsedit

Fields from the Suricata EVE log file.

eve fieldsedit

Fields exported by the EVE JSON logs

suricata.eve.event_type
type: keyword
suricata.eve.app_proto_orig
type: keyword
suricata.eve.tcp.tcp_flags
type: keyword
suricata.eve.tcp.psh
type: boolean
suricata.eve.tcp.tcp_flags_tc
type: keyword
suricata.eve.tcp.ack
type: boolean
suricata.eve.tcp.syn
type: boolean
suricata.eve.tcp.state
type: keyword
suricata.eve.tcp.tcp_flags_ts
type: keyword
suricata.eve.tcp.rst
type: boolean
suricata.eve.tcp.fin
type: boolean
suricata.eve.fileinfo.sha1
type: keyword
suricata.eve.fileinfo.filename

type: alias

alias to: file.path

suricata.eve.fileinfo.tx_id
type: long
suricata.eve.fileinfo.state
type: keyword
suricata.eve.fileinfo.stored
type: boolean
suricata.eve.fileinfo.gaps
type: boolean
suricata.eve.fileinfo.sha256
type: keyword
suricata.eve.fileinfo.md5
type: keyword
suricata.eve.fileinfo.size

type: alias

alias to: file.size

suricata.eve.icmp_type
type: long
suricata.eve.dest_port

type: alias

alias to: destination.port

suricata.eve.src_port

type: alias

alias to: source.port

suricata.eve.proto

type: alias

alias to: network.transport

suricata.eve.pcap_cnt
type: long
suricata.eve.src_ip

type: alias

alias to: source.ip

suricata.eve.dns.type
type: keyword
suricata.eve.dns.rrtype
type: keyword
suricata.eve.dns.rrname
type: keyword
suricata.eve.dns.rdata
type: keyword
suricata.eve.dns.tx_id
type: long
suricata.eve.dns.ttl
type: long
suricata.eve.dns.rcode
type: keyword
suricata.eve.dns.id
type: long
suricata.eve.flow_id
type: keyword
suricata.eve.email.status
type: keyword
suricata.eve.dest_ip

type: alias

alias to: destination.ip

suricata.eve.icmp_code
type: long
suricata.eve.http.status

type: alias

alias to: http.response.status_code

suricata.eve.http.redirect
type: keyword
suricata.eve.http.http_user_agent

type: alias

alias to: user_agent.original

suricata.eve.http.protocol
type: keyword
suricata.eve.http.http_refer

type: alias

alias to: http.request.referrer

suricata.eve.http.url

type: alias

alias to: url.original

suricata.eve.http.hostname

type: alias

alias to: url.domain

suricata.eve.http.length

type: alias

alias to: http.response.body.bytes

suricata.eve.http.http_method

type: alias

alias to: http.request.method

suricata.eve.http.http_content_type
type: keyword
suricata.eve.timestamp

type: alias

alias to: @timestamp

suricata.eve.in_iface
type: keyword
suricata.eve.alert.category
type: keyword
suricata.eve.alert.severity

type: alias

alias to: event.severity

suricata.eve.alert.rev
type: long
suricata.eve.alert.gid
type: long
suricata.eve.alert.signature
type: keyword
suricata.eve.alert.action

type: alias

alias to: event.outcome

suricata.eve.alert.signature_id
type: long
suricata.eve.ssh.client.proto_version
type: keyword
suricata.eve.ssh.client.software_version
type: keyword
suricata.eve.ssh.server.proto_version
type: keyword
suricata.eve.ssh.server.software_version
type: keyword
suricata.eve.stats.capture.kernel_packets
type: long
suricata.eve.stats.capture.kernel_drops
type: long
suricata.eve.stats.capture.kernel_ifdrops
type: long
suricata.eve.stats.uptime
type: long
suricata.eve.stats.detect.alert
type: long
suricata.eve.stats.http.memcap
type: long
suricata.eve.stats.http.memuse
type: long
suricata.eve.stats.file_store.open_files
type: long
suricata.eve.stats.defrag.max_frag_hits
type: long
suricata.eve.stats.defrag.ipv4.timeouts
type: long
suricata.eve.stats.defrag.ipv4.fragments
type: long
suricata.eve.stats.defrag.ipv4.reassembled
type: long
suricata.eve.stats.defrag.ipv6.timeouts
type: long
suricata.eve.stats.defrag.ipv6.fragments
type: long
suricata.eve.stats.defrag.ipv6.reassembled
type: long
suricata.eve.stats.flow.tcp_reuse
type: long
suricata.eve.stats.flow.udp
type: long
suricata.eve.stats.flow.memcap
type: long
suricata.eve.stats.flow.emerg_mode_entered
type: long
suricata.eve.stats.flow.emerg_mode_over
type: long
suricata.eve.stats.flow.tcp
type: long
suricata.eve.stats.flow.icmpv6
type: long
suricata.eve.stats.flow.icmpv4
type: long
suricata.eve.stats.flow.spare
type: long
suricata.eve.stats.flow.memuse
type: long
suricata.eve.stats.tcp.pseudo_failed
type: long
suricata.eve.stats.tcp.ssn_memcap_drop
type: long
suricata.eve.stats.tcp.insert_data_overlap_fail
type: long
suricata.eve.stats.tcp.sessions
type: long
suricata.eve.stats.tcp.pseudo
type: long
suricata.eve.stats.tcp.synack
type: long
suricata.eve.stats.tcp.insert_data_normal_fail
type: long
suricata.eve.stats.tcp.syn
type: long
suricata.eve.stats.tcp.memuse
type: long
suricata.eve.stats.tcp.invalid_checksum
type: long
suricata.eve.stats.tcp.segment_memcap_drop
type: long
suricata.eve.stats.tcp.overlap
type: long
suricata.eve.stats.tcp.insert_list_fail
type: long
suricata.eve.stats.tcp.rst
type: long
suricata.eve.stats.tcp.stream_depth_reached
type: long
suricata.eve.stats.tcp.reassembly_memuse
type: long
suricata.eve.stats.tcp.reassembly_gap
type: long
suricata.eve.stats.tcp.overlap_diff_data
type: long
suricata.eve.stats.tcp.no_flow
type: long
suricata.eve.stats.decoder.avg_pkt_size
type: long
suricata.eve.stats.decoder.bytes
type: long
suricata.eve.stats.decoder.tcp
type: long
suricata.eve.stats.decoder.raw
type: long
suricata.eve.stats.decoder.ppp
type: long
suricata.eve.stats.decoder.vlan_qinq
type: long
suricata.eve.stats.decoder.null
type: long
suricata.eve.stats.decoder.ltnull.unsupported_type
type: long
suricata.eve.stats.decoder.ltnull.pkt_too_small
type: long
suricata.eve.stats.decoder.invalid
type: long
suricata.eve.stats.decoder.gre
type: long
suricata.eve.stats.decoder.ipv4
type: long
suricata.eve.stats.decoder.ipv6
type: long
suricata.eve.stats.decoder.pkts
type: long
suricata.eve.stats.decoder.ipv6_in_ipv6
type: long
suricata.eve.stats.decoder.ipraw.invalid_ip_version
type: long
suricata.eve.stats.decoder.pppoe
type: long
suricata.eve.stats.decoder.udp
type: long
suricata.eve.stats.decoder.dce.pkt_too_small
type: long
suricata.eve.stats.decoder.vlan
type: long
suricata.eve.stats.decoder.sctp
type: long
suricata.eve.stats.decoder.max_pkt_size
type: long
suricata.eve.stats.decoder.teredo
type: long
suricata.eve.stats.decoder.mpls
type: long
suricata.eve.stats.decoder.sll
type: long
suricata.eve.stats.decoder.icmpv6
type: long
suricata.eve.stats.decoder.icmpv4
type: long
suricata.eve.stats.decoder.erspan
type: long
suricata.eve.stats.decoder.ethernet
type: long
suricata.eve.stats.decoder.ipv4_in_ipv6
type: long
suricata.eve.stats.decoder.ieee8021ah
type: long
suricata.eve.stats.dns.memcap_global
type: long
suricata.eve.stats.dns.memcap_state
type: long
suricata.eve.stats.dns.memuse
type: long
suricata.eve.stats.flow_mgr.rows_busy
type: long
suricata.eve.stats.flow_mgr.flows_timeout
type: long
suricata.eve.stats.flow_mgr.flows_notimeout
type: long
suricata.eve.stats.flow_mgr.rows_skipped
type: long
suricata.eve.stats.flow_mgr.closed_pruned
type: long
suricata.eve.stats.flow_mgr.new_pruned
type: long
suricata.eve.stats.flow_mgr.flows_removed
type: long
suricata.eve.stats.flow_mgr.bypassed_pruned
type: long
suricata.eve.stats.flow_mgr.est_pruned
type: long
suricata.eve.stats.flow_mgr.flows_timeout_inuse
type: long
suricata.eve.stats.flow_mgr.flows_checked
type: long
suricata.eve.stats.flow_mgr.rows_maxlen
type: long
suricata.eve.stats.flow_mgr.rows_checked
type: long
suricata.eve.stats.flow_mgr.rows_empty
type: long
suricata.eve.stats.app_layer.flow.tls
type: long
suricata.eve.stats.app_layer.flow.ftp
type: long
suricata.eve.stats.app_layer.flow.http
type: long
suricata.eve.stats.app_layer.flow.failed_udp
type: long
suricata.eve.stats.app_layer.flow.dns_udp
type: long
suricata.eve.stats.app_layer.flow.dns_tcp
type: long
suricata.eve.stats.app_layer.flow.smtp
type: long
suricata.eve.stats.app_layer.flow.failed_tcp
type: long
suricata.eve.stats.app_layer.flow.msn
type: long
suricata.eve.stats.app_layer.flow.ssh
type: long
suricata.eve.stats.app_layer.flow.imap
type: long
suricata.eve.stats.app_layer.flow.dcerpc_udp
type: long
suricata.eve.stats.app_layer.flow.dcerpc_tcp
type: long
suricata.eve.stats.app_layer.flow.smb
type: long
suricata.eve.stats.app_layer.tx.tls
type: long
suricata.eve.stats.app_layer.tx.ftp
type: long
suricata.eve.stats.app_layer.tx.http
type: long
suricata.eve.stats.app_layer.tx.dns_udp
type: long
suricata.eve.stats.app_layer.tx.dns_tcp
type: long
suricata.eve.stats.app_layer.tx.smtp
type: long
suricata.eve.stats.app_layer.tx.ssh
type: long
suricata.eve.stats.app_layer.tx.dcerpc_udp
type: long
suricata.eve.stats.app_layer.tx.dcerpc_tcp
type: long
suricata.eve.stats.app_layer.tx.smb
type: long
suricata.eve.tls.notbefore
type: date
suricata.eve.tls.issuerdn
type: keyword
suricata.eve.tls.sni
type: keyword
suricata.eve.tls.version
type: keyword
suricata.eve.tls.session_resumed
type: boolean
suricata.eve.tls.fingerprint
type: keyword
suricata.eve.tls.serial
type: keyword
suricata.eve.tls.notafter
type: date
suricata.eve.tls.subject
type: keyword
suricata.eve.app_proto_ts
type: keyword
suricata.eve.flow.bytes_toclient

type: alias

alias to: destination.bytes

suricata.eve.flow.start

type: alias

alias to: event.start

suricata.eve.flow.pkts_toclient

type: alias

alias to: destination.packets

suricata.eve.flow.age
type: long
suricata.eve.flow.state
type: keyword
suricata.eve.flow.bytes_toserver

type: alias

alias to: source.bytes

suricata.eve.flow.reason
type: keyword
suricata.eve.flow.pkts_toserver

type: alias

alias to: source.packets

suricata.eve.flow.end
type: date
suricata.eve.flow.alerted
type: boolean
suricata.eve.app_proto

type: alias

alias to: network.protocol

suricata.eve.tx_id
type: long
suricata.eve.app_proto_tc
type: keyword
suricata.eve.smtp.rcpt_to
type: keyword
suricata.eve.smtp.mail_from
type: keyword
suricata.eve.smtp.helo
type: keyword
suricata.eve.app_proto_expected
type: keyword