How to create multiple Suricata eve-log outputs

[TOoSmOotH]

Discussed in #11368

^{Originally posted by senatesan September 21, 2023}

Version

2.4.10

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Meets minimum requirements

CPU

8

RAM

16

Storage for /

162

Storage for /nsm

326

Network Traffic Collection

span port

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

I need to have multiple suricata eve logger instances for a customization I'm working on. The process to do this in suricata is documented here https://docs.suricata.io/en/suricata-6.0.13/output/eve/eve-json-output.html#multiple-logger-instances.

In the past, when I was using SO 2.3 I was able to implement this change by modifying my sensor's pillar sls file and adding my additional eve-log section to the suricata config like this:

suricata:
  config:
    rule-files:
      - all.rules
    outputs:
      - eve-log:
          enabled: 'yes'
          filetype: regular
          filename: /nsm/alerts.json
          pcap-file: false
          community-id: true
          community-id-seed: 0
          xff:
            enabled: 'no'
            mode: extra-data
            deployment: reverse
            header: X-Forwarded-For
          types:
            - alert
      - eve-log:
          enabled: 'yes'
          filetype: regular
          filename: /nsm/eve-%Y-%m-%d-%H:%M.json
          rotate-interval: hour
          pcap-file: false
          community-id: true
          community-id-seed: 0
          xff:
            enabled: 'no'
            mode: extra-data
            deployment: reverse
            header: X-Forwarded-For
          types:
          - alert:
              payload: 'no'
              payload-buffer-size: 4kb
              payload-printable: 'yes'
              packet: 'yes'
              metadata:
                app-layer: false
                flow: false
                rule:
                  metadata: true
                  raw: true
              tagged-packets: 'no'

Now that I'm using SO 2.4.10 I have tried to make this same change but have not succeeded. I tried using the SOC's Configuration page adding my YAML in suricata>advanced but it did not seem to apply my custom config. This is the custom YAML I tried, but it doesn't seem to be applied to my sensor's /opt/so/conf/suricata/suricata.yaml after running a highstate:

config:
  outputs:
    - eve-log:
        enabled: 'yes'
        filetype: regular
        filename: /nsm/alerts.json
        pcap-file: false
        community-id: true
        community-id-seed: 0
        xff:
          enabled: 'no'
          mode: extra-data
          deployment: reverse
          header: X-Forwarded-For
        types:
        - alert
    - eve-log:
        enabled: 'yes'
        filetype: regular
        filename: /nsm/eve-%Y-%m-%d-%H:%M.json
        rotate-interval: hour
        pcap-file: false
        community-id: true
        community-id-seed: 0
        xff:
          enabled: 'no'
          mode: extra-data
          deployment: reverse
          header: X-Forwarded-For
        types:
        - alert:
            payload: 'no'
            payload-buffer-size: 4kb
            payload-printable: 'yes'
            packet: 'yes'
            metadata:
              app-layer: false
              flow: false
              rule:
                metadata: true
                raw: true
            tagged-packets: 'no'

What is the best way to make this custom config change to Suricata? Is there any other way to create multiple eve logger instances?