Hi I am currently looking for a pattern extractor for suricata eve event logs. I had something working in the past but like an idiot i deleted the stream without backing up my extractors! an example of the eve logs is below. I will continue to scower the internet and will post something if i find.
OPNsense.localdomain suricata[50751]: {"timestamp": "2019-09-12T09:36:12.858390-0400", "flow_id": 459131075438488, "in_iface": "em2", "event_type": "alert", "src_ip": "10.244.4.71", "src_port": 65361, "dest_ip": "10.11.0.1", "dest_port": 9000, "proto": "TCP", "tx_id": 86, "alert": {"action": "allowed", "gid": 1, "signature_id": 2006380, "rev": 13, "signature": "ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted", "category": "Potential Corporate Privacy Violation", "severity": 1, "metadata": {"updated_at": ["2019_03_18"], "created_at": ["2010_07_30"]}}, "http": {"hostname": "10.11.0.1", "http_port": 9000, "url": "/api/sidecars/f1e5de6b-5f55-479f-80fe-c877e1f56c27", "http_user_agent": "Graylog Collector v1.0.1", "http_content_type": "application/json", "http_method": "PUT", "protocol": "HTTP/1.1", "status": 202, "length": 211}, "app_proto": "http", "flow": {"pkts_toserver": 119, "pkts_toclient": 89, "bytes_toserver": 51271, "bytes_toclient": 30309, "start": "2019-09-12T09:31:20.731032-0400"}}