suricata
output-json-metadata.c
Go to the documentation of this file.
1 /* Copyright (C) 2013-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Logs vars in JSON format.
24  *
25  */
26 
27 #include "suricata-common.h"
28 #include "debug.h"
29 #include "detect.h"
30 #include "flow.h"
31 #include "conf.h"
32 
33 #include "threads.h"
34 #include "tm-threads.h"
35 #include "threadvars.h"
36 #include "util-debug.h"
37 
38 #include "util-misc.h"
39 #include "util-unittest.h"
40 #include "util-unittest-helper.h"
41 
42 #include "detect-parse.h"
43 #include "detect-engine.h"
44 #include "detect-engine-mpm.h"
45 #include "detect-reference.h"
46 #include "app-layer-parser.h"
47 #include "app-layer-dnp3.h"
48 #include "app-layer-htp.h"
49 #include "app-layer-htp-xff.h"
50 #include "util-classification-config.h"
51 #include "util-syslog.h"
52 #include "util-logopenfile.h"
53 
54 #include "output.h"
55 #include "output-json.h"
56 #include "output-json-metadata.h"
57 
58 #include "util-byte.h"
59 #include "util-privs.h"
60 #include "util-print.h"
61 #include "util-proto-name.h"
62 #include "util-optimize.h"
63 #include "util-buffer.h"
64 #include "util-crypt.h"
65 
66 #define MODULE_NAME "JsonMetadataLog"
67 
68 static int MetadataJson(ThreadVars *tv, OutputJsonThreadCtx *aft, const Packet *p)
69 {
70  JsonBuilder *js = CreateEveHeader(p, LOG_DIR_PACKET, "metadata", NULL, aft->ctx);
71  if (unlikely(js == NULL))
72  return TM_ECODE_OK;
73 
74  /* If metadata is not enabled for eve, explicitly log it here as this is
75  * what logging metadata is about. */
76  if (!aft->ctx->cfg.include_metadata) {
77  EveAddMetadata(p, p->flow, js);
78  }
79  OutputJsonBuilderBuffer(js, aft);
80 
81  jb_free(js);
82  return TM_ECODE_OK;
83 }
84 
85 static int JsonMetadataLogger(ThreadVars *tv, void *thread_data, const Packet *p)
86 {
87  OutputJsonThreadCtx *aft = thread_data;
88 
89  return MetadataJson(tv, aft, p);
90 }
91 
92 static int JsonMetadataLogCondition(ThreadVars *tv, const Packet *p)
93 {
94  if (p->pktvar) {
95  return TRUE;
96  }
97  return FALSE;
98 }
99 
100 void JsonMetadataLogRegister (void)
101 {
102  OutputRegisterPacketSubModule(LOGGER_JSON_METADATA, "eve-log", MODULE_NAME, "eve-log.metadata",
103  OutputJsonLogInitSub, JsonMetadataLogger, JsonMetadataLogCondition, JsonLogThreadInit,
104  JsonLogThreadDeinit, NULL);
105 
106  /* Kept for compatibility. */
107  OutputRegisterPacketSubModule(LOGGER_JSON_METADATA, "eve-log", MODULE_NAME, "eve-log.vars",
108  OutputJsonLogInitSub, JsonMetadataLogger, JsonMetadataLogCondition, JsonLogThreadInit,
109  JsonLogThreadDeinit, NULL);
110 }
util-byte.h
tm-threads.h
OutputJsonLogInitSub
OutputInitResult OutputJsonLogInitSub(ConfNode *conf, OutputCtx *parent_ctx)
Definition: output-json-common.c:88
detect-engine.h
OutputJsonThreadCtx_::ctx
OutputJsonCtx * ctx
Definition: output-json.h:90
OutputJsonCtx_::cfg
OutputJsonCommonSettings cfg
Definition: output-json.h:84
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
JsonLogThreadInit
TmEcode JsonLogThreadInit(ThreadVars *t, const void *initdata, void **data)
Definition: output-json-common.c:105
threads.h
util-syslog.h
OutputJsonBuilderBuffer
int OutputJsonBuilderBuffer(JsonBuilder *js, OutputJsonThreadCtx *ctx)
Definition: output-json.c:975
util-privs.h
util-unittest.h
util-unittest-helper.h
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:80
app-layer-htp-xff.h
OutputJsonThreadCtx_
Definition: output-json.h:89
detect-reference.h
EveAddMetadata
void EveAddMetadata(const Packet *p, const Flow *f, JsonBuilder *js)
Definition: output-json.c:402
app-layer-htp.h
util-debug.h
Packet_::pktvar
PktVar * pktvar
Definition: decode.h:499
app-layer-dnp3.h
output-json.h
CreateEveHeader
JsonBuilder * CreateEveHeader(const Packet *p, enum OutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr, OutputJsonCtx *eve_ctx)
Definition: output-json.c:839
util-print.h
detect-engine-mpm.h
util-crypt.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
app-layer-parser.h
TRUE
#define TRUE
Definition: suricata-common.h:33
FALSE
#define FALSE
Definition: suricata-common.h:34
MODULE_NAME
#define MODULE_NAME
Definition: output-json-metadata.c:66
Packet_
Definition: decode.h:414
conf.h
util-proto-name.h
OutputJsonCommonSettings_::include_metadata
bool include_metadata
Definition: output-json.h:72
Packet_::flow
struct Flow_ * flow
Definition: decode.h:451
LOG_DIR_PACKET
@ LOG_DIR_PACKET
Definition: output-json.h:39
LOGGER_JSON_METADATA
@ LOGGER_JSON_METADATA
Definition: suricata-common.h:487
suricata-common.h
OutputRegisterPacketSubModule
void OutputRegisterPacketSubModule(LoggerId id, const char *parent_name, const char *name, const char *conf_name, OutputInitSubFunc InitFunc, PacketLogger PacketLogFunc, PacketLogCondition PacketConditionFunc, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit, ThreadExitPrintStatsFunc ThreadExitPrintStats)
Register a packet output sub-module.
Definition: output.c:214
util-classification-config.h
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:29
JsonMetadataLogRegister
void JsonMetadataLogRegister(void)
Definition: output-json-metadata.c:100
util-optimize.h
threadvars.h
output-json-metadata.h
util-logopenfile.h
detect-parse.h
util-buffer.h
JsonLogThreadDeinit
TmEcode JsonLogThreadDeinit(ThreadVars *t, void *data)
Definition: output-json-common.c:138
util-misc.h
flow.h
debug.h
output.h