output-eve-bindgen_8h_source.html

/* Copyright (C) 2025 Open Information Security Foundation

 *

 * You can copy, redistribute or modify this Program under the terms of

 * the GNU General Public License version 2 as published by the Free

 * Software Foundation.

 *

 * This program is distributed in the hope that it will be useful,

 * but WITHOUT ANY WARRANTY; without even the implied warranty of

 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

 * GNU General Public License for more details.

 *

 * You should have received a copy of the GNU General Public License

 * version 2 along with this program; if not, write to the Free Software

 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA

 * 02110-1301, USA.

 */


/**

 * \file

 *

 * This file contains definitions that should be made available

 * to rust via bindgen.

 *

 */


#ifndef SURICATA_OUTPUT_EVE_BINDGEN_H

#define SURICATA_OUTPUT_EVE_BINDGEN_H


#include "app-layer-protos.h"


typedef uint32_t ThreadId;


typedef enum SCOutputJsonLogDirection {

    LOG_DIR_PACKET = 0,

    LOG_DIR_FLOW,

    LOG_DIR_FLOW_TOCLIENT,

    LOG_DIR_FLOW_TOSERVER,

} SCOutputJsonLogDirection;


typedef bool (*EveJsonSimpleTxLogFunc)(const void *, void *);


typedef struct EveJsonSimpleAppLayerLogger {

    EveJsonSimpleTxLogFunc LogTx;

    const char *name;

} EveJsonSimpleAppLayerLogger;


EveJsonSimpleAppLayerLogger *SCEveJsonSimpleGetLogger(AppProto alproto);


typedef struct EveJsonTxLoggerRegistrationData {

    const char *confname;

    const char *logname;

    AppProto alproto;

    uint8_t dir;

    EveJsonSimpleTxLogFunc LogTx;

} EveJsonTxLoggerRegistrationData;


int SCOutputEvePreRegisterLogger(EveJsonTxLoggerRegistrationData reg_data);


/** \brief Function type for EVE file-type initialization. */

typedef int (*SCEveFileTypeInitFunc)(const SCConfNode *conf, const bool threaded, void **init_data);


/** \brief Function type for EVE file-type thread initialization. */

typedef int (*SCEveFileTypeThreadInitFunc)(

        const void *init_data, const ThreadId thread_id, void **thread_data);


/** \brief Function type for EVE file-type writes. */

typedef int (*SCEveFileTypeWriteFunc)(

        const char *buffer, const int buffer_len, const void *init_data, void *thread_data);


/** \brief Function type for EVE file-type thread deinitialization. */

typedef void (*SCEveFileTypeThreadDeinitFunc)(const void *init_data, void *thread_data);


/** \brief Function type for EVE file-type deinitialization. */

typedef void (*SCEveFileTypeDeinitFunc)(void *init_data);


/** \brief Structure used to define an EVE output file type.

 *

 * EVE filetypes implement an object with a file-like interface and

 * are used to output EVE log records to files, syslog, or

 * database. They can be built-in such as the syslog (see

 * SyslogInitialize()) and nullsink (see NullLogInitialize()) outputs,

 * registered by a library user or dynamically loaded as a plugin.

 *

 * The life cycle of an EVE filetype is:

 *   - Init: called once for each EVE instance using this filetype

 *   - ThreadInit: called once for each output thread

 *   - Write: called for each log record

 *   - ThreadDeinit: called once for each output thread on exit

 *   - Deinit: called once for each EVE instance using this filetype on exit

 *

 * Examples:

 * - built-in syslog: \ref src/output-eve-syslog.c

 * - built-in nullsink: \ref src/output-eve-null.c

 * - example plugin: \ref examples/plugins/c-json-filetype/filetype.c

 *

 * ### Multi-Threaded Note:

 *

 * The EVE logging system can be configured by the Suricata user to

 * run in threaded or non-threaded modes. In the default non-threaded

 * mode, ThreadInit will only be called once and the filetype does not

 * need to be concerned with threads.

 *

 * However, in **threaded** mode, ThreadInit will be called multiple

 * times and the filetype needs to be thread aware and thread-safe. If

 * utilizing a unique resource such as a file for each thread then you

 * may be naturally thread safe. However, if sharing a single file

 * handle across all threads then your filetype will have to take care

 * of locking, etc.

 */

typedef struct SCEveFileType_ {

    /**

     * \brief The name of the output, used in the configuration.

     *

     * This name is used by the configuration file to specify the EVE

     * filetype used.

     *

     * For example:

     *

     * \code{.yaml}

     * outputs:

     *   - eve-log:

     *       filetype: my-output-name

     * \endcode

     */

    const char *name;


    /**

     * \brief Function to initialize this filetype.

     *

     * \param conf The ConfNode of the `eve-log` configuration

     *     section this filetype is being initialized for

     *

     * \param threaded Flag to specify if the EVE sub-systems is in

     *     threaded mode or not

     *

     * \param init_data An output pointer for filetype specific data

     *

     * \retval 0 on success, -1 on failure

     */

    SCEveFileTypeInitFunc Init;


    /**

     * \brief Initialize thread specific data.

     *

     * Initialize any thread specific data. For example, if

     * implementing a file output you might open the files here, so

     * you have one output file per thread.

     *

     * \param init_data Data setup during Init

     *

     * \param thread_id A unique ID to differentiate this thread from

     *     others. If EVE is not in threaded mode this will be called

     *     once with a ThreadId of 0. In threaded mode the ThreadId of

     *     0 correlates to the main Suricata thread.

     *

     * \param thread_data Output pointer for any data required by this

     *     thread.

     *

     * \retval 0 on success, -1 on failure

     */

    SCEveFileTypeThreadInitFunc ThreadInit;


    /**

     * \brief Called for each EVE log record.

     *

     * The Write function is called for each log EVE log record. The

     * provided buffer contains a fully formatted EVE record in JSON

     * format.

     *

     * \param buffer The fully formatted JSON EVE log record

     *

     * \param buffer_len The length of the buffer

     *

     * \param init_data The data setup in the call to Init

     *

     * \param thread_data The data setup in the call to ThreadInit

     *

     * \retval 0 on success, -1 on failure

     */

    SCEveFileTypeWriteFunc Write;


    /**

     * \brief Called to deinitialize each thread.

     *

     * This function will be called for each thread. It is where any

     * resources allocated in ThreadInit should be released.

     *

     * \param init_data The data setup in Init

     *

     * \param thread_data The data setup in ThreadInit

     */

    SCEveFileTypeThreadDeinitFunc ThreadDeinit;


    /**

     * \brief Final call to deinitialize this filetype.

     *

     * Called, usually on exit to deinitialize and free any resources

     * allocated during Init.

     *

     * \param init_data Data setup in the call to Init.

     */

    SCEveFileTypeDeinitFunc Deinit;


    /* Internal list management. */

    TAILQ_ENTRY(SCEveFileType_) entries;

} SCEveFileType;


bool SCRegisterEveFileType(SCEveFileType *);


#endif /* ! SURICATA_OUTPUT_EVE_BINDGEN_H */