#include "suricata-common.h"#include "flow.h"#include "conf.h"#include "util-debug.h"#include "util-time.h"#include "util-var-name.h"#include "util-macset.h"#include "util-unittest.h"#include "util-unittest-helper.h"#include "detect-engine.h"#include "util-classification-config.h"#include "util-syslog.h"#include "output-eve-syslog.h"#include "output-eve-null.h"#include "output.h"#include "output-json.h"#include "util-byte.h"#include "util-print.h"#include "util-proto-name.h"#include "util-optimize.h"#include "util-buffer.h"#include "util-logopenfile.h"#include "util-log-redis.h"#include "util-device-private.h"#include "util-validate.h"#include "flow-var.h"#include "flow-bit.h"#include "flow-storage.h"#include "source-pcap-file-helper.h"
Go to the source code of this file.
Data Structures | |
| struct | JSONMACAddrInfo |
Macros | |
| #define | DEFAULT_LOG_FILENAME "eve.json" |
| #define | MODULE_NAME "OutputJSON" |
| #define | MAX_JSON_SIZE 2048 |
| #define | COMMUNITY_ID_BUF_SIZE 64 |
Typedefs | |
| typedef struct JSONMACAddrInfo | JSONMACAddrInfo |
Functions | |
| void | OutputJsonRegister (void) |
| json_t * | SCJsonString (const char *val) |
| void | EveFileInfo (SCJsonBuilder *jb, const File *ff, const uint64_t tx_id, const uint16_t flags) |
| void | EveAddMetadata (const Packet *p, const Flow *f, SCJsonBuilder *js) |
| void | EveAddCommonOptions (const OutputJsonCommonSettings *cfg, const Packet *p, const Flow *f, SCJsonBuilder *js, enum SCOutputJsonLogDirection dir) |
| void | EvePacket (const Packet *p, SCJsonBuilder *js, uint32_t max_length) |
| Jsonify a packet. | |
| void | EveTcpFlags (const uint8_t flags, SCJsonBuilder *js) |
| jsonify tcp flags field Only add 'true' fields in an attempt to keep things reasonably compact. | |
| void | JsonAddrInfoInit (const Packet *p, enum SCOutputJsonLogDirection dir, JsonAddrInfo *addr) |
| void | CreateEveFlowId (SCJsonBuilder *js, const Flow *f) |
| void | JSONFormatAndAddMACAddr (SCJsonBuilder *js, const char *key, const uint8_t *val, bool is_array) |
| SCJsonBuilder * | CreateEveHeader (const Packet *p, enum SCOutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr, OutputJsonCtx *eve_ctx) |
| SCJsonBuilder * | CreateEveHeaderWithTxId (const Packet *p, enum SCOutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr, uint64_t tx_id, OutputJsonCtx *eve_ctx) |
| int | OutputJSONMemBufferCallback (const char *str, size_t size, void *data) |
| int | OutputJSONBuffer (json_t *js, LogFileCtx *file_ctx, MemBuffer **buffer) |
| void | OutputJsonFlush (OutputJsonThreadCtx *ctx) |
| void | OutputJsonBuilderBuffer (ThreadVars *tv, const Packet *p, Flow *f, SCJsonBuilder *js, OutputJsonThreadCtx *ctx) |
| OutputInitResult | OutputJsonInitCtx (SCConfNode *conf) |
| Create a new LogFileCtx for "fast" output style. | |
Variables | |
| const JsonAddrInfo | json_addr_info_zero |
Detailed Description
Logs detection and monitoring events in JSON format.
Definition in file output-json.c.
Macro Definition Documentation
◆ COMMUNITY_ID_BUF_SIZE
| #define COMMUNITY_ID_BUF_SIZE 64 |
Definition at line 601 of file output-json.c.
◆ DEFAULT_LOG_FILENAME
| #define DEFAULT_LOG_FILENAME "eve.json" |
Definition at line 66 of file output-json.c.
◆ MAX_JSON_SIZE
| #define MAX_JSON_SIZE 2048 |
Definition at line 69 of file output-json.c.
◆ MODULE_NAME
| #define MODULE_NAME "OutputJSON" |
Definition at line 67 of file output-json.c.
Typedef Documentation
◆ JSONMACAddrInfo
| typedef struct JSONMACAddrInfo JSONMACAddrInfo |
Function Documentation
◆ CreateEveFlowId()
| void CreateEveFlowId | ( | SCJsonBuilder * | js, |
| const Flow * | f | ||
| ) |
Definition at line 716 of file output-json.c.
References Flow_::parent_id.
Referenced by CreateEveHeader().
◆ CreateEveHeader()
| SCJsonBuilder * CreateEveHeader | ( | const Packet * | p, |
| enum SCOutputJsonLogDirection | dir, | ||
| const char * | event_type, | ||
| JsonAddrInfo * | addr, | ||
| OutputJsonCtx * | eve_ctx | ||
| ) |
Definition at line 850 of file output-json.c.
References OutputJsonCtx_::cfg, Packet_::code, CreateEveFlowId(), CreateIsoTimeString(), LiveDevice_::dev, JsonAddrInfo_::dp, JsonAddrInfo_::dst_ip, EveAddCommonOptions(), Packet_::flow, Packet_::icmp_s, json_addr_info_zero, JsonAddrInfoInit(), Packet_::livedev, JsonAddrInfo_::log_port, Packet_::pcap_cnt, Packet_::pkt_src, PktSrcToString(), Packet_::proto, JsonAddrInfo_::proto, JsonAddrInfo_::sp, JsonAddrInfo_::src_ip, Packet_::ts, type, Packet_::type, unlikely, Packet_::vlan_id, and Packet_::vlan_idx.
Referenced by CreateEveHeaderWithTxId(), JsonBuildFileInfoRecord(), and RulesDumpMatchArray().
◆ CreateEveHeaderWithTxId()
| SCJsonBuilder * CreateEveHeaderWithTxId | ( | const Packet * | p, |
| enum SCOutputJsonLogDirection | dir, | ||
| const char * | event_type, | ||
| JsonAddrInfo * | addr, | ||
| uint64_t | tx_id, | ||
| OutputJsonCtx * | eve_ctx | ||
| ) |
Definition at line 953 of file output-json.c.
References CreateEveHeader(), and unlikely.
Referenced by RulesDumpTxMatchArray().
◆ EveAddCommonOptions()
| void EveAddCommonOptions | ( | const OutputJsonCommonSettings * | cfg, |
| const Packet * | p, | ||
| const Flow * | f, | ||
| SCJsonBuilder * | js, | ||
| enum SCOutputJsonLogDirection | dir | ||
| ) |
Definition at line 414 of file output-json.c.
References OutputJsonCommonSettings_::community_id_seed, EveAddMetadata(), OutputJsonCommonSettings_::include_community_id, OutputJsonCommonSettings_::include_ethernet, OutputJsonCommonSettings_::include_metadata, OutputJsonCommonSettings_::include_suricata_version, PROG_VER, and Flow_::tenant_id.
Referenced by CreateEveHeader().
◆ EveAddMetadata()
Definition at line 391 of file output-json.c.
References Flow_::flowvar, and Packet_::pktvar.
Referenced by EveAddCommonOptions().
◆ EveFileInfo()
| void EveFileInfo | ( | SCJsonBuilder * | jb, |
| const File * | ff, | ||
| const uint64_t | tx_id, | ||
| const uint16_t | flags | ||
| ) |
Definition at line 124 of file output-json.c.
References File_::end, FILE_HAS_GAPS, FILE_MD5, FILE_SHA1, FILE_SHA256, FILE_STATE_CLOSED, FILE_STATE_ERROR, FILE_STATE_TRUNCATED, FILE_STORE, File_::file_store_id, FILE_STORED, FileTrackedSize(), flags, File_::flags, JB_SET_FALSE, JB_SET_STRING, JB_SET_TRUE, File_::md5, File_::name, File_::name_len, File_::sha1, File_::sha256, File_::sid, File_::sid_cnt, File_::start, and File_::state.
Referenced by JsonBuildFileInfoRecord().
◆ EvePacket()
| void EvePacket | ( | const Packet * | p, |
| SCJsonBuilder * | js, | ||
| uint32_t | max_length | ||
| ) |
Jsonify a packet.
- Parameters
-
p Packet js JSON object max_length If non-zero, restricts the number of packet data bytes handled.
Definition at line 441 of file output-json.c.
References Packet_::datalink, DatalinkValueToName(), GET_PKT_DATA, and GET_PKT_LEN.
◆ EveTcpFlags()
| void EveTcpFlags | ( | const uint8_t | flags, |
| SCJsonBuilder * | js | ||
| ) |
◆ JsonAddrInfoInit()
| void JsonAddrInfoInit | ( | const Packet * | p, |
| enum SCOutputJsonLogDirection | dir, | ||
| JsonAddrInfo * | addr | ||
| ) |
Definition at line 486 of file output-json.c.
References DEBUG_VALIDATE_BUG_ON, Packet_::dp, JsonAddrInfo_::dp, JsonAddrInfo_::dst_ip, GET_IPV4_DST_ADDR_PTR, GET_IPV4_SRC_ADDR_PTR, GET_IPV6_DST_ADDR, GET_IPV6_SRC_ADDR, IPPROTO_SCTP, JSON_ADDR_LEN, known_proto, LOG_DIR_FLOW, LOG_DIR_FLOW_TOCLIENT, LOG_DIR_FLOW_TOSERVER, LOG_DIR_PACKET, JsonAddrInfo_::log_port, PKT_IS_TOCLIENT, PKT_IS_TOSERVER, PrintInet(), Packet_::proto, JsonAddrInfo_::proto, SCProtoNameValid(), Packet_::sp, JsonAddrInfo_::sp, JsonAddrInfo_::src_ip, and strlcpy().
Referenced by CreateEveHeader(), and JsonBuildFileInfoRecord().
◆ JSONFormatAndAddMACAddr()
| void JSONFormatAndAddMACAddr | ( | SCJsonBuilder * | js, |
| const char * | key, | ||
| const uint8_t * | val, | ||
| bool | is_array | ||
| ) |
Definition at line 728 of file output-json.c.
◆ OutputJSONBuffer()
| int OutputJSONBuffer | ( | json_t * | js, |
| LogFileCtx * | file_ctx, | ||
| MemBuffer ** | buffer | ||
| ) |
Definition at line 980 of file output-json.c.
References OutputJSONMemBufferWrapper_::buffer, LogFileCtx_::is_pcap_offline, LogFileCtx_::json_flags, JSON_OUTPUT_BUFFER_SIZE, LogFileWrite(), MemBufferWriteRaw(), OutputJSONMemBufferCallback(), PcapFileGetFilename(), LogFileCtx_::prefix, LogFileCtx_::prefix_len, LogFileCtx_::sensor_name, and TM_ECODE_OK.
◆ OutputJsonBuilderBuffer()
| void OutputJsonBuilderBuffer | ( | ThreadVars * | tv, |
| const Packet * | p, | ||
| Flow * | f, | ||
| SCJsonBuilder * | js, | ||
| OutputJsonThreadCtx * | ctx | ||
| ) |
Definition at line 1015 of file output-json.c.
References ctx, DEBUG_VALIDATE_BUG_ON, LogFileCtx_::is_pcap_offline, LogFileWrite(), MEMBUFFER_OFFSET, MEMBUFFER_SIZE, MemBufferExpand(), MemBufferWriteRaw(), MIN, PcapFileGetFilename(), LogFileCtx_::prefix, LogFileCtx_::prefix_len, SCEveRunCallbacks(), SCLogWarning, LogFileCtx_::sensor_name, and tv.
◆ OutputJsonFlush()
| void OutputJsonFlush | ( | OutputJsonThreadCtx * | ctx | ) |
Definition at line 1009 of file output-json.c.
References ctx, and LogFileFlush().
◆ OutputJsonInitCtx()
| OutputInitResult OutputJsonInitCtx | ( | SCConfNode * | conf | ) |
Create a new LogFileCtx for "fast" output style.
- Parameters
-
conf The configuration node for this output.
- Returns
- A LogFileCtx pointer on success, NULL on failure.
Definition at line 1141 of file output-json.c.
References OutputJsonCtx_::cfg, OutputJsonCommonSettings_::community_id_seed, OutputInitResult_::ctx, OutputCtx_::data, OutputCtx_::DeInit, FatalError, OutputJsonCtx_::file_ctx, OutputJsonCtx_::filetype, HttpXFFGetCfg(), OutputJsonCommonSettings_::include_community_id, OutputJsonCommonSettings_::include_ethernet, OutputJsonCommonSettings_::include_metadata, OutputJsonCommonSettings_::include_suricata_version, LogFileCtx_::is_pcap_offline, likely, LOGFILE_TYPE_FILETYPE, LOGFILE_TYPE_NOTSET, LogFileFreeCtx(), LogFileNewCtx(), OutputInitResult_::ok, LogFileCtx_::prefix, LogFileCtx_::prefix_len, RUNMODE_PCAP_FILE, RUNMODE_UNIX_SOCKET, SCCalloc, SCConfGet(), SCConfNodeLookupChild(), SCConfNodeLookupChildValue(), SCConfValIsFalse(), SCConfValIsTrue(), SCEveFindFileType(), SCFree, SCLogConfig, SCLogDebug, SCLogInfo, SCLogWarning, SCRunmodeGet(), SCStrdup, LogFileCtx_::sensor_name, StringParseUint16(), StringParseUint64(), LogFileCtx_::threaded, LogFileCtx_::type, unlikely, SCConfNode_::val, and OutputJsonCtx_::xff_cfg.
Referenced by OutputJsonRegister().
◆ OutputJSONMemBufferCallback()
| int OutputJSONMemBufferCallback | ( | const char * | str, |
| size_t | size, | ||
| void * | data | ||
| ) |
Definition at line 966 of file output-json.c.
References OutputJSONMemBufferWrapper_::buffer, DEBUG_VALIDATE_BUG_ON, OutputJSONMemBufferWrapper_::expand_by, MEMBUFFER_OFFSET, MEMBUFFER_SIZE, MemBufferExpand(), MemBufferWriteRaw(), and str.
Referenced by OutputJSONBuffer().
◆ OutputJsonRegister()
| void OutputJsonRegister | ( | void | ) |
Definition at line 83 of file output-json.c.
References MODULE_NAME, NullLogInitialize(), OutputJsonInitCtx(), OutputRegisterModule(), and SyslogInitialize().
Referenced by OutputRegisterLoggers().
◆ SCJsonString()
| json_t * SCJsonString | ( | const char * | val | ) |
Definition at line 96 of file output-json.c.
References MAX_JSON_SIZE, offset, and PrintBufferData.
Variable Documentation
◆ json_addr_info_zero
| const JsonAddrInfo json_addr_info_zero |
Definition at line 81 of file output-json.c.
Referenced by CreateEveHeader(), and JsonBuildFileInfoRecord().
