suricata
output-json-metadata.c
Go to the documentation of this file.
1/* Copyright (C) 2013-2021 Open Information Security Foundation
2 *
3 * You can copy, redistribute or modify this Program under the terms of
4 * the GNU General Public License version 2 as published by the Free
5 * Software Foundation.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * version 2 along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15 * 02110-1301, USA.
16 */
17
18/**
19 * \file
20 *
21 * \author Victor Julien <victor@inliniac.net>
22 *
23 * Logs vars in JSON format.
24 *
25 */
26
27#include "suricata-common.h"
28#include "detect.h"
29#include "flow.h"
30#include "conf.h"
31
32#include "threads.h"
33#include "tm-threads.h"
34#include "threadvars.h"
35#include "util-debug.h"
36
37#include "util-misc.h"
38#include "util-unittest.h"
39#include "util-unittest-helper.h"
40
41#include "detect-parse.h"
42#include "detect-engine.h"
43#include "detect-engine-mpm.h"
44#include "detect-reference.h"
45#include "app-layer-parser.h"
46#include "app-layer-dnp3.h"
47#include "app-layer-htp.h"
48#include "app-layer-htp-xff.h"
49#include "util-classification-config.h"
50#include "util-syslog.h"
51#include "util-logopenfile.h"
52
53#include "output.h"
54#include "output-json.h"
55#include "output-json-metadata.h"
56
57#include "util-byte.h"
58#include "util-privs.h"
59#include "util-print.h"
60#include "util-proto-name.h"
61#include "util-optimize.h"
62#include "util-buffer.h"
63
64#define MODULE_NAME "JsonMetadataLog"
65
66static int MetadataJson(ThreadVars *tv, OutputJsonThreadCtx *aft, const Packet *p)
67{
68 SCJsonBuilder *js = CreateEveHeader(p, LOG_DIR_PACKET, "metadata", NULL, aft->ctx);
69 if (unlikely(js == NULL))
70 return TM_ECODE_OK;
71
72 /* If metadata is not enabled for eve, explicitly log it here as this is
73 * what logging metadata is about. */
74 if (!aft->ctx->cfg.include_metadata) {
75 EveAddMetadata(p, p->flow, js);
76 }
77 OutputJsonBuilderBuffer(tv, p, p->flow, js, aft);
78
79 SCJbFree(js);
80 return TM_ECODE_OK;
81}
82
83static int JsonMetadataLogger(ThreadVars *tv, void *thread_data, const Packet *p)
84{
85 OutputJsonThreadCtx *aft = thread_data;
86
87 return MetadataJson(tv, aft, p);
88}
89
90static bool JsonMetadataLogCondition(ThreadVars *tv, void *data, const Packet *p)
91{
92 return p->pktvar != NULL;
93}
94
95void JsonMetadataLogRegister (void)
96{
97 OutputPacketLoggerFunctions output_logger_functions = {
98 .LogFunc = JsonMetadataLogger,
99 .FlushFunc = OutputJsonLogFlush,
100 .ConditionFunc = JsonMetadataLogCondition,
101 .ThreadInitFunc = JsonLogThreadInit,
102 .ThreadDeinitFunc = JsonLogThreadDeinit,
103 .ThreadExitPrintStatsFunc = NULL,
104 };
105
106 OutputRegisterPacketSubModule(LOGGER_JSON_METADATA, "eve-log", MODULE_NAME, "eve-log.metadata",
107 OutputJsonLogInitSub, &output_logger_functions);
108
109 /* Kept for compatibility. */
110 OutputRegisterPacketSubModule(LOGGER_JSON_METADATA, "eve-log", MODULE_NAME, "eve-log.vars",
111 OutputJsonLogInitSub, &output_logger_functions);
112}
tv
ThreadVars * tv
Definition fuzz_decodepcapfile.c:32
LOG_DIR_PACKET
@ LOG_DIR_PACKET
Definition output-eve-bindgen.h:32
OutputJsonLogFlush
int OutputJsonLogFlush(ThreadVars *tv, void *thread_data, const Packet *p)
Definition output-json-common.c:73
OutputJsonLogInitSub
OutputInitResult OutputJsonLogInitSub(SCConfNode *conf, OutputCtx *parent_ctx)
Definition output-json-common.c:82
JsonLogThreadInit
TmEcode JsonLogThreadInit(ThreadVars *t, const void *initdata, void **data)
Definition output-json-common.c:99
JsonLogThreadDeinit
TmEcode JsonLogThreadDeinit(ThreadVars *t, void *data)
Definition output-json-common.c:132
MODULE_NAME
#define MODULE_NAME
Definition output-json-metadata.c:64
JsonMetadataLogRegister
void JsonMetadataLogRegister(void)
Definition output-json-metadata.c:95
CreateEveHeader
SCJsonBuilder * CreateEveHeader(const Packet *p, enum SCOutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr, OutputJsonCtx *eve_ctx)
Definition output-json.c:850
EveAddMetadata
void EveAddMetadata(const Packet *p, const Flow *f, SCJsonBuilder *js)
Definition output-json.c:391
OutputJsonBuilderBuffer
void OutputJsonBuilderBuffer(ThreadVars *tv, const Packet *p, Flow *f, SCJsonBuilder *js, OutputJsonThreadCtx *ctx)
Definition output-json.c:1015
OutputRegisterPacketSubModule
void OutputRegisterPacketSubModule(LoggerId id, const char *parent_name, const char *name, const char *conf_name, OutputInitSubFunc InitFunc, OutputPacketLoggerFunctions *output_logger_functions)
Register a packet output sub-module.
Definition output.c:234
OutputJsonCommonSettings_::include_metadata
bool include_metadata
Definition output-json.h:65
OutputJsonCtx_::cfg
OutputJsonCommonSettings cfg
Definition output-json.h:78
OutputJsonThreadCtx_
Definition output-json.h:83
OutputJsonThreadCtx_::ctx
OutputJsonCtx * ctx
Definition output-json.h:84
OutputPacketLoggerFunctions_
Definition output.h:87
OutputPacketLoggerFunctions_::LogFunc
PacketLogger LogFunc
Definition output.h:88
Packet_
Definition decode.h:501
Packet_::pktvar
PktVar * pktvar
Definition decode.h:597
Packet_::flow
struct Flow_ * flow
Definition decode.h:546
ThreadVars_
Per thread variable structure.
Definition threadvars.h:58
LOGGER_JSON_METADATA
@ LOGGER_JSON_METADATA
Definition suricata-common.h:508
TM_ECODE_OK
@ TM_ECODE_OK
Definition tm-threads-common.h:81
unlikely
#define unlikely(expr)
Definition util-optimize.h:35