suricata
output-json-metadata.c
Go to the documentation of this file.
1 /* Copyright (C) 2013-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Logs vars in JSON format.
24  *
25  */
26 
27 #include "suricata-common.h"
28 #include "detect.h"
29 #include "flow.h"
30 #include "conf.h"
31 
32 #include "threads.h"
33 #include "tm-threads.h"
34 #include "threadvars.h"
35 #include "util-debug.h"
36 
37 #include "util-misc.h"
38 #include "util-unittest.h"
39 #include "util-unittest-helper.h"
40 
41 #include "detect-parse.h"
42 #include "detect-engine.h"
43 #include "detect-engine-mpm.h"
44 #include "detect-reference.h"
45 #include "app-layer-parser.h"
46 #include "app-layer-dnp3.h"
47 #include "app-layer-htp.h"
48 #include "app-layer-htp-xff.h"
49 #include "util-classification-config.h"
50 #include "util-syslog.h"
51 #include "util-logopenfile.h"
52 
53 #include "output.h"
54 #include "output-json.h"
55 #include "output-json-metadata.h"
56 
57 #include "util-byte.h"
58 #include "util-privs.h"
59 #include "util-print.h"
60 #include "util-proto-name.h"
61 #include "util-optimize.h"
62 #include "util-buffer.h"
63 
64 #define MODULE_NAME "JsonMetadataLog"
65 
66 static int MetadataJson(ThreadVars *tv, OutputJsonThreadCtx *aft, const Packet *p)
67 {
68  JsonBuilder *js = CreateEveHeader(p, LOG_DIR_PACKET, "metadata", NULL, aft->ctx);
69  if (unlikely(js == NULL))
70  return TM_ECODE_OK;
71 
72  /* If metadata is not enabled for eve, explicitly log it here as this is
73  * what logging metadata is about. */
74  if (!aft->ctx->cfg.include_metadata) {
75  EveAddMetadata(p, p->flow, js);
76  }
77  OutputJsonBuilderBuffer(js, aft);
78 
79  jb_free(js);
80  return TM_ECODE_OK;
81 }
82 
83 static int JsonMetadataLogger(ThreadVars *tv, void *thread_data, const Packet *p)
84 {
85  OutputJsonThreadCtx *aft = thread_data;
86 
87  return MetadataJson(tv, aft, p);
88 }
89 
90 static int JsonMetadataLogCondition(ThreadVars *tv, void *data, const Packet *p)
91 {
92  if (p->pktvar) {
93  return TRUE;
94  }
95  return FALSE;
96 }
97 
98 void JsonMetadataLogRegister (void)
99 {
100  OutputRegisterPacketSubModule(LOGGER_JSON_METADATA, "eve-log", MODULE_NAME, "eve-log.metadata",
101  OutputJsonLogInitSub, JsonMetadataLogger, JsonMetadataLogCondition, JsonLogThreadInit,
102  JsonLogThreadDeinit, NULL);
103 
104  /* Kept for compatibility. */
105  OutputRegisterPacketSubModule(LOGGER_JSON_METADATA, "eve-log", MODULE_NAME, "eve-log.vars",
106  OutputJsonLogInitSub, JsonMetadataLogger, JsonMetadataLogCondition, JsonLogThreadInit,
107  JsonLogThreadDeinit, NULL);
108 }
util-byte.h
tm-threads.h
OutputJsonLogInitSub
OutputInitResult OutputJsonLogInitSub(ConfNode *conf, OutputCtx *parent_ctx)
Definition: output-json-common.c:73
detect-engine.h
OutputJsonThreadCtx_::ctx
OutputJsonCtx * ctx
Definition: output-json.h:90
OutputJsonCtx_::cfg
OutputJsonCommonSettings cfg
Definition: output-json.h:84
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
JsonLogThreadInit
TmEcode JsonLogThreadInit(ThreadVars *t, const void *initdata, void **data)
Definition: output-json-common.c:90
threads.h
util-syslog.h
OutputJsonBuilderBuffer
int OutputJsonBuilderBuffer(JsonBuilder *js, OutputJsonThreadCtx *ctx)
Definition: output-json.c:934
util-privs.h
util-unittest.h
util-unittest-helper.h
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:84
app-layer-htp-xff.h
OutputJsonThreadCtx_
Definition: output-json.h:89
detect-reference.h
EveAddMetadata
void EveAddMetadata(const Packet *p, const Flow *f, JsonBuilder *js)
Definition: output-json.c:389
app-layer-htp.h
util-debug.h
Packet_::pktvar
PktVar * pktvar
Definition: decode.h:521
app-layer-dnp3.h
output-json.h
CreateEveHeader
JsonBuilder * CreateEveHeader(const Packet *p, enum OutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr, OutputJsonCtx *eve_ctx)
Definition: output-json.c:796
util-print.h
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
app-layer-parser.h
TRUE
#define TRUE
Definition: suricata-common.h:33
FALSE
#define FALSE
Definition: suricata-common.h:34
MODULE_NAME
#define MODULE_NAME
Definition: output-json-metadata.c:64
Packet_
Definition: decode.h:428
conf.h
util-proto-name.h
OutputJsonCommonSettings_::include_metadata
bool include_metadata
Definition: output-json.h:72
Packet_::flow
struct Flow_ * flow
Definition: decode.h:465
LOG_DIR_PACKET
@ LOG_DIR_PACKET
Definition: output-json.h:39
LOGGER_JSON_METADATA
@ LOGGER_JSON_METADATA
Definition: suricata-common.h:479
suricata-common.h
OutputRegisterPacketSubModule
void OutputRegisterPacketSubModule(LoggerId id, const char *parent_name, const char *name, const char *conf_name, OutputInitSubFunc InitFunc, PacketLogger PacketLogFunc, PacketLogCondition PacketConditionFunc, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit, ThreadExitPrintStatsFunc ThreadExitPrintStats)
Register a packet output sub-module.
Definition: output.c:216
util-classification-config.h
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
JsonMetadataLogRegister
void JsonMetadataLogRegister(void)
Definition: output-json-metadata.c:98
util-optimize.h
threadvars.h
output-json-metadata.h
util-logopenfile.h
detect-parse.h
util-buffer.h
JsonLogThreadDeinit
TmEcode JsonLogThreadDeinit(ThreadVars *t, void *data)
Definition: output-json-common.c:123
util-misc.h
flow.h
output.h