EVE logging subsystem. More...
Go to the source code of this file.
Data Structures | |
| struct | SCEveFileType_ |
| Structure used to define an EVE output file type plugin. More... | |
Typedefs | |
| typedef uint32_t | ThreadId |
| typedef struct SCEveFileType_ | SCEveFileType |
| Structure used to define an EVE output file type plugin. More... | |
Functions | |
| bool | SCRegisterEveFileType (SCEveFileType *) |
| Register an Eve file type. More... | |
| SCEveFileType * | SCEveFindFileType (const char *name) |
Detailed Description
EVE logging subsystem.
This file will attempt to the main module for EVE logging sub-system. Currently most of the API resides in output-json.[ch], but due to some circular dependencies between EVE, and LogFileCtx, it made it hard to add EVE filetype modules there until some include issues are figured out.
Definition in file output-eve.h.
Typedef Documentation
◆ SCEveFileType
| typedef struct SCEveFileType_ SCEveFileType |
Structure used to define an EVE output file type plugin.
EVE filetypes implement an object with a file-like interface and are used to output EVE log records to files, syslog, or database. They can be built-in such as the syslog (see SyslogInitialize()) and nullsink (see NullLogInitialize()) outputs, registered by a library user or dynamically loaded as a plugin.
The life cycle of an EVE filetype is:
- Init: called once for each EVE instance using this filetype
- ThreadInit: called once for each output thread
- Write: called for each log record
- ThreadInit: called once for each output thread on exit
- Deinit: called once for each EVE instance using this filetype on exit
Examples:
- built-in syslog: src/output-eve-syslog.c
- built-in nullsink: src/output-eve-null.c
- example plugin: examples/plugins/c-json-filetype/filetype.c
Multi-Threaded Note:
The EVE logging system can be configured by the Suricata user to run in threaded or non-threaded modes. In the default non-threaded mode, ThreadInit will only be called once and the filetype does not need to be concerned with threads.
However, in threaded mode, ThreadInit will be called multiple times and the filetype needs to be thread aware and thread-safe. If utilizing a unique resource such as a file for each thread then you may be naturally thread safe. However, if sharing a single file handle across all threads then your filetype will have to take care of locking, etc.
◆ ThreadId
| typedef uint32_t ThreadId |
Definition at line 36 of file output-eve.h.
Function Documentation
◆ SCEveFindFileType()
| SCEveFileType* SCEveFindFileType | ( | const char * | name | ) |
Definition at line 43 of file output-eve.c.
References SCEveFileType_::name, and TAILQ_FOREACH.
◆ SCRegisterEveFileType()
| bool SCRegisterEveFileType | ( | SCEveFileType * | plugin | ) |
Register an Eve file type.
- Return values
-
true if registered successfully, false if the file type name conflicts with a built-in or previously registered file type.
Definition at line 61 of file output-eve.c.
References SCEveFileType_::name, SCLogDebug, SCLogError, TAILQ_FOREACH, and TAILQ_INSERT_TAIL.
