Elastic
Start free trial Contact Sales
Loading

Suricata fields

Module for handling the EVE JSON logs produced by Suricata.

suricata

Fields from the Suricata EVE log file.

eve

Fields exported by the EVE JSON logs

suricata.eve.event_type
type: keyword
suricata.eve.app_proto_orig
type: keyword
suricata.eve.tcp.tcp_flags
type: keyword
suricata.eve.tcp.psh
type: boolean
suricata.eve.tcp.tcp_flags_tc
type: keyword
suricata.eve.tcp.ack
type: boolean
suricata.eve.tcp.syn
type: boolean
suricata.eve.tcp.state
type: keyword
suricata.eve.tcp.tcp_flags_ts
type: keyword
suricata.eve.tcp.rst
type: boolean
suricata.eve.tcp.fin
type: boolean
suricata.eve.fileinfo.sha1
type: keyword
suricata.eve.fileinfo.tx_id
type: long
suricata.eve.fileinfo.state
type: keyword
suricata.eve.fileinfo.stored
type: boolean
suricata.eve.fileinfo.gaps
type: boolean
suricata.eve.fileinfo.sha256
type: keyword
suricata.eve.fileinfo.md5
type: keyword
suricata.eve.icmp_type
type: long
suricata.eve.pcap_cnt
type: long
suricata.eve.dns.type
type: keyword
suricata.eve.dns.rrtype
type: keyword
suricata.eve.dns.rrname
type: keyword
suricata.eve.dns.rdata
type: keyword
suricata.eve.dns.tx_id
type: long
suricata.eve.dns.ttl
type: long
suricata.eve.dns.rcode
type: keyword
suricata.eve.dns.id
type: long
suricata.eve.flow_id
type: keyword
suricata.eve.email.status
type: keyword
suricata.eve.icmp_code
type: long
suricata.eve.http.redirect
type: keyword
suricata.eve.http.protocol
type: keyword
suricata.eve.http.http_content_type
type: keyword
suricata.eve.in_iface
type: keyword
suricata.eve.alert.metadata
Metadata about the alert.

type: flattened

suricata.eve.alert.category
type: keyword
suricata.eve.alert.rev
type: long
suricata.eve.alert.gid
type: long
suricata.eve.alert.signature
type: keyword
suricata.eve.alert.signature_id
type: long
suricata.eve.alert.protocols
type: keyword
suricata.eve.alert.attack_target
type: keyword
suricata.eve.alert.capec_id
type: keyword
suricata.eve.alert.cwe_id
type: keyword
suricata.eve.alert.malware
type: keyword
suricata.eve.alert.cve
type: keyword
suricata.eve.alert.cvss_v2_base
type: keyword
suricata.eve.alert.cvss_v2_temporal
type: keyword
suricata.eve.alert.cvss_v3_base
type: keyword
suricata.eve.alert.cvss_v3_temporal
type: keyword
suricata.eve.alert.priority
type: keyword
suricata.eve.alert.hostile
type: keyword
suricata.eve.alert.infected
type: keyword
suricata.eve.alert.created_at
type: date
suricata.eve.alert.updated_at
type: date
suricata.eve.alert.classtype
type: keyword
suricata.eve.alert.rule_source
type: keyword
suricata.eve.alert.sid
type: keyword
suricata.eve.alert.affected_product
type: keyword
suricata.eve.alert.deployment
type: keyword
suricata.eve.alert.former_category
type: keyword
suricata.eve.alert.mitre_tool_id
type: keyword
suricata.eve.alert.performance_impact
type: keyword
suricata.eve.alert.signature_severity
type: keyword
suricata.eve.alert.tag
type: keyword
suricata.eve.ssh.client.proto_version
type: keyword
suricata.eve.ssh.client.software_version
type: keyword
suricata.eve.ssh.server.proto_version
type: keyword
suricata.eve.ssh.server.software_version
type: keyword
suricata.eve.stats.capture.kernel_packets
type: long
suricata.eve.stats.capture.kernel_drops
type: long
suricata.eve.stats.capture.kernel_ifdrops
type: long
suricata.eve.stats.uptime
type: long
suricata.eve.stats.detect.alert
type: long
suricata.eve.stats.http.memcap
type: long
suricata.eve.stats.http.memuse
type: long
suricata.eve.stats.file_store.open_files
type: long
suricata.eve.stats.defrag.max_frag_hits
type: long
suricata.eve.stats.defrag.ipv4.timeouts
type: long
suricata.eve.stats.defrag.ipv4.fragments
type: long
suricata.eve.stats.defrag.ipv4.reassembled
type: long
suricata.eve.stats.defrag.ipv6.timeouts
type: long
suricata.eve.stats.defrag.ipv6.fragments
type: long
suricata.eve.stats.defrag.ipv6.reassembled
type: long
suricata.eve.stats.flow.tcp_reuse
type: long
suricata.eve.stats.flow.udp
type: long
suricata.eve.stats.flow.memcap
type: long
suricata.eve.stats.flow.emerg_mode_entered
type: long
suricata.eve.stats.flow.emerg_mode_over
type: long
suricata.eve.stats.flow.tcp
type: long
suricata.eve.stats.flow.icmpv6
type: long
suricata.eve.stats.flow.icmpv4
type: long
suricata.eve.stats.flow.spare
type: long
suricata.eve.stats.flow.memuse
type: long
suricata.eve.stats.tcp.pseudo_failed
type: long
suricata.eve.stats.tcp.ssn_memcap_drop
type: long
suricata.eve.stats.tcp.insert_data_overlap_fail
type: long
suricata.eve.stats.tcp.sessions
type: long
suricata.eve.stats.tcp.pseudo
type: long
suricata.eve.stats.tcp.synack
type: long
suricata.eve.stats.tcp.insert_data_normal_fail
type: long
suricata.eve.stats.tcp.syn
type: long
suricata.eve.stats.tcp.memuse
type: long
suricata.eve.stats.tcp.invalid_checksum
type: long
suricata.eve.stats.tcp.segment_memcap_drop
type: long
suricata.eve.stats.tcp.overlap
type: long
suricata.eve.stats.tcp.insert_list_fail
type: long
suricata.eve.stats.tcp.rst
type: long
suricata.eve.stats.tcp.stream_depth_reached
type: long
suricata.eve.stats.tcp.reassembly_memuse
type: long
suricata.eve.stats.tcp.reassembly_gap
type: long
suricata.eve.stats.tcp.overlap_diff_data
type: long
suricata.eve.stats.tcp.no_flow
type: long
suricata.eve.stats.decoder.avg_pkt_size
type: long
suricata.eve.stats.decoder.bytes
type: long
suricata.eve.stats.decoder.tcp
type: long
suricata.eve.stats.decoder.raw
type: long
suricata.eve.stats.decoder.ppp
type: long
suricata.eve.stats.decoder.vlan_qinq
type: long
suricata.eve.stats.decoder.null
type: long
suricata.eve.stats.decoder.ltnull.unsupported_type
type: long
suricata.eve.stats.decoder.ltnull.pkt_too_small
type: long
suricata.eve.stats.decoder.invalid
type: long
suricata.eve.stats.decoder.gre
type: long
suricata.eve.stats.decoder.ipv4
type: long
suricata.eve.stats.decoder.ipv6
type: long
suricata.eve.stats.decoder.pkts
type: long
suricata.eve.stats.decoder.ipv6_in_ipv6
type: long
suricata.eve.stats.decoder.ipraw.invalid_ip_version
type: long
suricata.eve.stats.decoder.pppoe
type: long
suricata.eve.stats.decoder.udp
type: long
suricata.eve.stats.decoder.dce.pkt_too_small
type: long
suricata.eve.stats.decoder.vlan
type: long
suricata.eve.stats.decoder.sctp
type: long
suricata.eve.stats.decoder.max_pkt_size
type: long
suricata.eve.stats.decoder.teredo
type: long
suricata.eve.stats.decoder.mpls
type: long
suricata.eve.stats.decoder.sll
type: long
suricata.eve.stats.decoder.icmpv6
type: long
suricata.eve.stats.decoder.icmpv4
type: long
suricata.eve.stats.decoder.erspan
type: long
suricata.eve.stats.decoder.ethernet
type: long
suricata.eve.stats.decoder.ipv4_in_ipv6
type: long
suricata.eve.stats.decoder.ieee8021ah
type: long
suricata.eve.stats.dns.memcap_global
type: long
suricata.eve.stats.dns.memcap_state
type: long
suricata.eve.stats.dns.memuse
type: long
suricata.eve.stats.flow_mgr.rows_busy
type: long
suricata.eve.stats.flow_mgr.flows_timeout
type: long
suricata.eve.stats.flow_mgr.flows_notimeout
type: long
suricata.eve.stats.flow_mgr.rows_skipped
type: long
suricata.eve.stats.flow_mgr.closed_pruned
type: long
suricata.eve.stats.flow_mgr.new_pruned
type: long
suricata.eve.stats.flow_mgr.flows_removed
type: long
suricata.eve.stats.flow_mgr.bypassed_pruned
type: long
suricata.eve.stats.flow_mgr.est_pruned
type: long
suricata.eve.stats.flow_mgr.flows_timeout_inuse
type: long
suricata.eve.stats.flow_mgr.flows_checked
type: long
suricata.eve.stats.flow_mgr.rows_maxlen
type: long
suricata.eve.stats.flow_mgr.rows_checked
type: long
suricata.eve.stats.flow_mgr.rows_empty
type: long
suricata.eve.stats.app_layer.flow.tls
type: long
suricata.eve.stats.app_layer.flow.ftp
type: long
suricata.eve.stats.app_layer.flow.http
type: long
suricata.eve.stats.app_layer.flow.failed_udp
type: long
suricata.eve.stats.app_layer.flow.dns_udp
type: long
suricata.eve.stats.app_layer.flow.dns_tcp
type: long
suricata.eve.stats.app_layer.flow.smtp
type: long
suricata.eve.stats.app_layer.flow.failed_tcp
type: long
suricata.eve.stats.app_layer.flow.msn
type: long
suricata.eve.stats.app_layer.flow.ssh
type: long
suricata.eve.stats.app_layer.flow.imap
type: long
suricata.eve.stats.app_layer.flow.dcerpc_udp
type: long
suricata.eve.stats.app_layer.flow.dcerpc_tcp
type: long
suricata.eve.stats.app_layer.flow.smb
type: long
suricata.eve.stats.app_layer.tx.tls
type: long
suricata.eve.stats.app_layer.tx.ftp
type: long
suricata.eve.stats.app_layer.tx.http
type: long
suricata.eve.stats.app_layer.tx.dns_udp
type: long
suricata.eve.stats.app_layer.tx.dns_tcp
type: long
suricata.eve.stats.app_layer.tx.smtp
type: long
suricata.eve.stats.app_layer.tx.ssh
type: long
suricata.eve.stats.app_layer.tx.dcerpc_udp
type: long
suricata.eve.stats.app_layer.tx.dcerpc_tcp
type: long
suricata.eve.stats.app_layer.tx.smb
type: long
suricata.eve.tls.notbefore
type: date
suricata.eve.tls.issuerdn
type: keyword
suricata.eve.tls.sni
type: keyword
suricata.eve.tls.version
type: keyword
suricata.eve.tls.session_resumed
type: boolean
suricata.eve.tls.fingerprint
type: keyword
suricata.eve.tls.serial
type: keyword
suricata.eve.tls.notafter
type: date
suricata.eve.tls.subject
type: keyword
suricata.eve.tls.ja3s.string
type: keyword
suricata.eve.tls.ja3s.hash
type: keyword
suricata.eve.tls.ja3.string
type: keyword
suricata.eve.tls.ja3.hash
type: keyword
suricata.eve.app_proto_ts
type: keyword
suricata.eve.flow.age
type: long
suricata.eve.flow.state
type: keyword
suricata.eve.flow.reason
type: keyword
suricata.eve.flow.alerted
type: boolean
suricata.eve.tx_id
type: long
suricata.eve.app_proto_tc
type: keyword
suricata.eve.smtp.rcpt_to
type: keyword
suricata.eve.smtp.mail_from
type: keyword
suricata.eve.smtp.helo
type: keyword
suricata.eve.app_proto_expected

type: keyword