output-eve_8h_source.html

/* Copyright (C) 2024 Open Information Security Foundation

 *

 * You can copy, redistribute or modify this Program under the terms of

 * the GNU General Public License version 2 as published by the Free

 * Software Foundation.

 *

 * This program is distributed in the hope that it will be useful,

 * but WITHOUT ANY WARRANTY; without even the implied warranty of

 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

 * GNU General Public License for more details.

 *

 * You should have received a copy of the GNU General Public License

 * version 2 along with this program; if not, write to the Free Software

 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA

 * 02110-1301, USA.

 */


/**

 * \file

 *

 * \brief EVE logging subsystem

 *

 * This file will attempt to the main module for EVE logging

 * sub-system. Currently most of the API resides in output-json.[ch],

 * but due to some circular dependencies between EVE, and LogFileCtx,

 * it made it hard to add EVE filetype modules there until some

 * include issues are figured out.

 */


#ifndef SURICATA_OUTPUT_EVE_H

#define SURICATA_OUTPUT_EVE_H


#ifndef SURICATA_BINDGEN_H

#include "suricata-common.h"

#include "rust.h"

#include "conf.h"

#else

typedef struct ThreadVars_ ThreadVars;

typedef struct Flow_ Flow;

typedef struct SCJsonBuilder SCJsonBuilder;

typedef struct Packet_ Packet;

#endif


#include "app-layer-protos.h"


typedef uint32_t ThreadId;


typedef enum SCOutputJsonLogDirection {

    LOG_DIR_PACKET = 0,

    LOG_DIR_FLOW,

    LOG_DIR_FLOW_TOCLIENT,

    LOG_DIR_FLOW_TOSERVER,

} SCOutputJsonLogDirection;


typedef bool (*EveJsonSimpleTxLogFunc)(const void *, void *);


typedef struct EveJsonSimpleAppLayerLogger {

    EveJsonSimpleTxLogFunc LogTx;

    const char *name;

} EveJsonSimpleAppLayerLogger;


EveJsonSimpleAppLayerLogger *SCEveJsonSimpleGetLogger(AppProto alproto);


typedef struct EveJsonTxLoggerRegistrationData {

    const char *confname;

    const char *logname;

    AppProto alproto;

    uint8_t dir;

    EveJsonSimpleTxLogFunc LogTx;

} EveJsonTxLoggerRegistrationData;


int SCOutputEvePreRegisterLogger(EveJsonTxLoggerRegistrationData reg_data);


/** \brief Function type for EVE file-type initialization. */

typedef int (*SCEveFileTypeInitFunc)(const SCConfNode *conf, const bool threaded, void **init_data);


/** \brief Function type for EVE file-type thread initialization. */

typedef int (*SCEveFileTypeThreadInitFunc)(

        const void *init_data, const ThreadId thread_id, void **thread_data);


/** \brief Function type for EVE file-type writes. */

typedef int (*SCEveFileTypeWriteFunc)(

        const char *buffer, const int buffer_len, const void *init_data, void *thread_data);


/** \brief Function type for EVE file-type thread deinitialization. */

typedef void (*SCEveFileTypeThreadDeinitFunc)(const void *init_data, void *thread_data);


/** \brief Function type for EVE file-type deinitialization. */

typedef void (*SCEveFileTypeDeinitFunc)(void *init_data);


/** \brief Structure used to define an EVE output file type.

 *

 * EVE filetypes implement an object with a file-like interface and

 * are used to output EVE log records to files, syslog, or

 * database. They can be built-in such as the syslog (see

 * SyslogInitialize()) and nullsink (see NullLogInitialize()) outputs,

 * registered by a library user or dynamically loaded as a plugin.

 *

 * The life cycle of an EVE filetype is:

 *   - Init: called once for each EVE instance using this filetype

 *   - ThreadInit: called once for each output thread

 *   - Write: called for each log record

 *   - ThreadDeinit: called once for each output thread on exit

 *   - Deinit: called once for each EVE instance using this filetype on exit

 *

 * Examples:

 * - built-in syslog: \ref src/output-eve-syslog.c

 * - built-in nullsink: \ref src/output-eve-null.c

 * - example plugin: \ref examples/plugins/c-json-filetype/filetype.c

 *

 * ### Multi-Threaded Note:

 *

 * The EVE logging system can be configured by the Suricata user to

 * run in threaded or non-threaded modes. In the default non-threaded

 * mode, ThreadInit will only be called once and the filetype does not

 * need to be concerned with threads.

 *

 * However, in **threaded** mode, ThreadInit will be called multiple

 * times and the filetype needs to be thread aware and thread-safe. If

 * utilizing a unique resource such as a file for each thread then you

 * may be naturally thread safe. However, if sharing a single file

 * handle across all threads then your filetype will have to take care

 * of locking, etc.

 */

typedef struct SCEveFileType_ {

    /**

     * \brief The name of the output, used in the configuration.

     *

     * This name is used by the configuration file to specify the EVE

     * filetype used.

     *

     * For example:

     *

     * \code{.yaml}

     * outputs:

     *   - eve-log:

     *       filetype: my-output-name

     * \endcode

     */

    const char *name;


    /**

     * \brief Function to initialize this filetype.

     *

     * \param conf The ConfNode of the `eve-log` configuration

     *     section this filetype is being initialized for

     *

     * \param threaded Flag to specify if the EVE sub-systems is in

     *     threaded mode or not

     *

     * \param init_data An output pointer for filetype specific data

     *

     * \retval 0 on success, -1 on failure

     */

    SCEveFileTypeInitFunc Init;


    /**

     * \brief Initialize thread specific data.

     *

     * Initialize any thread specific data. For example, if

     * implementing a file output you might open the files here, so

     * you have one output file per thread.

     *

     * \param init_data Data setup during Init

     *

     * \param thread_id A unique ID to differentiate this thread from

     *     others. If EVE is not in threaded mode this will be called

     *     once with a ThreadId of 0. In threaded mode the ThreadId of

     *     0 correlates to the main Suricata thread.

     *

     * \param thread_data Output pointer for any data required by this

     *     thread.

     *

     * \retval 0 on success, -1 on failure

     */

    SCEveFileTypeThreadInitFunc ThreadInit;


    /**

     * \brief Called for each EVE log record.

     *

     * The Write function is called for each log EVE log record. The

     * provided buffer contains a fully formatted EVE record in JSON

     * format.

     *

     * \param buffer The fully formatted JSON EVE log record

     *

     * \param buffer_len The length of the buffer

     *

     * \param init_data The data setup in the call to Init

     *

     * \param thread_data The data setup in the call to ThreadInit

     *

     * \retval 0 on success, -1 on failure

     */

    SCEveFileTypeWriteFunc Write;


    /**

     * \brief Called to deinitialize each thread.

     *

     * This function will be called for each thread. It is where any

     * resources allocated in ThreadInit should be released.

     *

     * \param init_data The data setup in Init

     *

     * \param thread_data The data setup in ThreadInit

     */

    SCEveFileTypeThreadDeinitFunc ThreadDeinit;


    /**

     * \brief Final call to deinitialize this filetype.

     *

     * Called, usually on exit to deinitialize and free any resources

     * allocated during Init.

     *

     * \param init_data Data setup in the call to Init.

     */

    SCEveFileTypeDeinitFunc Deinit;


    /* Internal list management. */

    TAILQ_ENTRY(SCEveFileType_) entries;

} SCEveFileType;


bool SCRegisterEveFileType(SCEveFileType *);


SCEveFileType *SCEveFindFileType(const char *name);


/** \brief Function type for EVE callbacks.

 *

 * The function type for callbacks registered with

 * SCEveRegisterCallback. This function will be called with the

 * SCJsonBuilder just prior to the top-level object being closed. New

 * fields may be added, however, there is no way to alter existing

 * objects already added to the SCJsonBuilder.

 *

 * \param tv The ThreadVars for the thread performing the logging.

 * \param p Packet if available.

 * \param f Flow if available.

 * \param user User data provided during callback registration.

 */

typedef void (*SCEveUserCallbackFn)(

        ThreadVars *tv, const Packet *p, Flow *f, SCJsonBuilder *jb, void *user);


/** \brief Register a callback for adding extra information to EVE logs.

 *

 * Allow users to register a callback for each EVE log. The callback

 * is called just before the root object on the SCJsonBuilder is to be

 * closed.

 *

 * New objects and fields can be appended, but existing entries cannot be modified.

 *

 * Packet and Flow will be provided if available, but will otherwise be

 * NULL.

 *

 * Limitations: At this time the callbacks will only be called for EVE

 * loggers that use SCJsonBuilder, notably this means it won't be called

 * for stats records at this time.

 *

 * \returns true if callback is registered, false is not due to memory

 *     allocation error.

 */

bool SCEveRegisterCallback(SCEveUserCallbackFn fn, void *user);


/** \internal

 *

 * Run EVE callbacks.

 */

void SCEveRunCallbacks(ThreadVars *tv, const Packet *p, Flow *f, SCJsonBuilder *jb);


#endif