I am running Suricata on a PfSense 2.4.5-p1 firewall. Suricata is configured to output logs to EVE JSON, type Syslog. Under logging settings, “Send alerts to System log” is checked, the PfSense successfully sends these logs to Graylog (4.0.1) on a Syslog UDP Input. All is received fine.
However, there are three distinct ‘message’ files: ‘full_message,’ ‘json,’ and ‘message.’ I’ve noticed that some other sources end up with a ‘full_message’ and ‘message’ field as well.
This obviously adds a lot of storage space and seems repetitious. What is the best practice for dealing with this? Leave them all, leave only one (if so which)? Would you use Pipeline rules to drop the unwanted message fields, or Extractors? Any help or suggestions (including if you have them any actual rules) would be greatly appreciated.