suricata
Data Structures | Macros | Typedefs | Functions | Variables
output-json.c File Reference
#include "suricata-common.h"
#include "detect.h"
#include "flow.h"
#include "conf.h"
#include "threads.h"
#include "tm-threads.h"
#include "threadvars.h"
#include "util-debug.h"
#include "util-time.h"
#include "util-var-name.h"
#include "util-macset.h"
#include "util-unittest.h"
#include "util-unittest-helper.h"
#include "detect-parse.h"
#include "detect-engine.h"
#include "detect-engine-mpm.h"
#include "detect-reference.h"
#include "app-layer-parser.h"
#include "util-classification-config.h"
#include "util-syslog.h"
#include "output-eve-syslog.h"
#include "output-eve-null.h"
#include "output.h"
#include "output-json.h"
#include "util-byte.h"
#include "util-privs.h"
#include "util-print.h"
#include "util-proto-name.h"
#include "util-optimize.h"
#include "util-buffer.h"
#include "util-logopenfile.h"
#include "util-log-redis.h"
#include "util-device.h"
#include "util-validate.h"
#include "flow-var.h"
#include "flow-bit.h"
#include "flow-storage.h"
#include "source-pcap-file-helper.h"
Include dependency graph for output-json.c:

Go to the source code of this file.

Data Structures

struct  JSONMACAddrInfo
 

Macros

#define DEFAULT_LOG_FILENAME   "eve.json"
 
#define MODULE_NAME   "OutputJSON"
 
#define MAX_JSON_SIZE   2048
 
#define COMMUNITY_ID_BUF_SIZE   64
 

Typedefs

typedef struct JSONMACAddrInfo JSONMACAddrInfo
 

Functions

void OutputJsonRegister (void)
 
json_t * SCJsonString (const char *val)
 
void EveFileInfo (JsonBuilder *jb, const File *ff, const uint64_t tx_id, const uint16_t flags)
 
void EveAddMetadata (const Packet *p, const Flow *f, JsonBuilder *js)
 
void EveAddCommonOptions (const OutputJsonCommonSettings *cfg, const Packet *p, const Flow *f, JsonBuilder *js)
 
void EvePacket (const Packet *p, JsonBuilder *js, unsigned long max_length)
 Jsonify a packet. More...
 
void EveTcpFlags (const uint8_t flags, JsonBuilder *js)
 jsonify tcp flags field Only add 'true' fields in an attempt to keep things reasonably compact. More...
 
void JsonAddrInfoInit (const Packet *p, enum OutputJsonLogDirection dir, JsonAddrInfo *addr)
 
void CreateEveFlowId (JsonBuilder *js, const Flow *f)
 
JsonBuilder * CreateEveHeader (const Packet *p, enum OutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr, OutputJsonCtx *eve_ctx)
 
JsonBuilder * CreateEveHeaderWithTxId (const Packet *p, enum OutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr, uint64_t tx_id, OutputJsonCtx *eve_ctx)
 
int OutputJSONMemBufferCallback (const char *str, size_t size, void *data)
 
int OutputJSONBuffer (json_t *js, LogFileCtx *file_ctx, MemBuffer **buffer)
 
int OutputJsonBuilderBuffer (JsonBuilder *js, OutputJsonThreadCtx *ctx)
 
OutputInitResult OutputJsonInitCtx (ConfNode *conf)
 Create a new LogFileCtx for "fast" output style. More...
 

Variables

const JsonAddrInfo json_addr_info_zero
 

Detailed Description

Author
Tom DeCanio td@np.nosp@m.ulse.nosp@m.tech..nosp@m.com

Logs detection and monitoring events in JSON format.

Definition in file output-json.c.

Macro Definition Documentation

◆ COMMUNITY_ID_BUF_SIZE

#define COMMUNITY_ID_BUF_SIZE   64

Definition at line 591 of file output-json.c.

◆ DEFAULT_LOG_FILENAME

#define DEFAULT_LOG_FILENAME   "eve.json"

Definition at line 76 of file output-json.c.

◆ MAX_JSON_SIZE

#define MAX_JSON_SIZE   2048

Definition at line 79 of file output-json.c.

◆ MODULE_NAME

#define MODULE_NAME   "OutputJSON"

Definition at line 77 of file output-json.c.

Typedef Documentation

◆ JSONMACAddrInfo

typedef struct JSONMACAddrInfo JSONMACAddrInfo

Function Documentation

◆ CreateEveFlowId()

void CreateEveFlowId ( JsonBuilder *  js,
const Flow f 
)

Definition at line 705 of file output-json.c.

Referenced by CreateEveHeader().

Here is the caller graph for this function:

◆ CreateEveHeader()

JsonBuilder* CreateEveHeader ( const Packet p,
enum OutputJsonLogDirection  dir,
const char *  event_type,
JsonAddrInfo addr,
OutputJsonCtx eve_ctx 
)

Definition at line 787 of file output-json.c.

References CreateEveFlowId(), CreateIsoTimeString(), Packet_::flow, Packet_::ts, and unlikely.

Referenced by CreateEveHeaderWithTxId(), and RulesDumpMatchArray().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ CreateEveHeaderWithTxId()

JsonBuilder* CreateEveHeaderWithTxId ( const Packet p,
enum OutputJsonLogDirection  dir,
const char *  event_type,
JsonAddrInfo addr,
uint64_t  tx_id,
OutputJsonCtx eve_ctx 
)

Definition at line 873 of file output-json.c.

References CreateEveHeader(), and unlikely.

Referenced by RulesDumpTxMatchArray().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ EveAddCommonOptions()

void EveAddCommonOptions ( const OutputJsonCommonSettings cfg,
const Packet p,
const Flow f,
JsonBuilder *  js 
)

Definition at line 416 of file output-json.c.

References EveAddMetadata(), OutputJsonCommonSettings_::include_ethernet, and OutputJsonCommonSettings_::include_metadata.

Here is the call graph for this function:

◆ EveAddMetadata()

void EveAddMetadata ( const Packet p,
const Flow f,
JsonBuilder *  js 
)

Definition at line 393 of file output-json.c.

References Flow_::flowvar, and Packet_::pktvar.

Referenced by EveAddCommonOptions().

Here is the caller graph for this function:

◆ EveFileInfo()

void EveFileInfo ( JsonBuilder *  jb,
const File ff,
const uint64_t  tx_id,
const uint16_t  flags 
)

Definition at line 132 of file output-json.c.

References File_::end, FILE_HAS_GAPS, FILE_MD5, FILE_SHA1, FILE_SHA256, FILE_STATE_CLOSED, FILE_STATE_ERROR, FILE_STATE_TRUNCATED, FILE_STORE, File_::file_store_id, FILE_STORED, FileTrackedSize(), flags, File_::flags, JB_SET_FALSE, JB_SET_STRING, JB_SET_TRUE, File_::md5, File_::name, File_::name_len, File_::sha1, File_::sha256, File_::sid, File_::sid_cnt, File_::start, and File_::state.

Here is the call graph for this function:

◆ EvePacket()

void EvePacket ( const Packet p,
JsonBuilder *  js,
unsigned long  max_length 
)

Jsonify a packet.

Parameters
pPacket
jsJSON object
max_lengthIf non-zero, restricts the number of packet data bytes handled.

Definition at line 440 of file output-json.c.

References Packet_::datalink, GET_PKT_DATA, and GET_PKT_LEN.

◆ EveTcpFlags()

void EveTcpFlags ( const uint8_t  flags,
JsonBuilder *  js 
)

jsonify tcp flags field Only add 'true' fields in an attempt to keep things reasonably compact.

Definition at line 457 of file output-json.c.

References flags, JB_SET_TRUE, TH_ACK, TH_CWR, TH_ECN, TH_FIN, TH_PUSH, TH_RST, TH_SYN, and TH_URG.

◆ JsonAddrInfoInit()

void JsonAddrInfoInit ( const Packet p,
enum OutputJsonLogDirection  dir,
JsonAddrInfo addr 
)

Definition at line 477 of file output-json.c.

References DEBUG_VALIDATE_BUG_ON, JsonAddrInfo_::dp, Packet_::dp, JsonAddrInfo_::dst_ip, GET_IPV4_DST_ADDR_PTR, GET_IPV4_SRC_ADDR_PTR, GET_IPV6_DST_ADDR, GET_IPV6_SRC_ADDR, IP_GET_IPPROTO, IPPROTO_SCTP, JSON_ADDR_LEN, known_proto, LOG_DIR_FLOW, LOG_DIR_FLOW_TOCLIENT, LOG_DIR_FLOW_TOSERVER, LOG_DIR_PACKET, PKT_IS_IPV4, PKT_IS_IPV6, PKT_IS_TOCLIENT, PKT_IS_TOSERVER, PrintInet(), JsonAddrInfo_::proto, Packet_::proto, SCProtoNameValid(), JsonAddrInfo_::sp, Packet_::sp, JsonAddrInfo_::src_ip, and strlcpy().

Referenced by JsonBuildFileInfoRecord().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ OutputJSONBuffer()

int OutputJSONBuffer ( json_t *  js,
LogFileCtx file_ctx,
MemBuffer **  buffer 
)

Definition at line 899 of file output-json.c.

References OutputJSONMemBufferWrapper_::buffer, LogFileCtx_::is_pcap_offline, LogFileCtx_::json_flags, JSON_OUTPUT_BUFFER_SIZE, LogFileWrite(), MemBufferWriteRaw(), OutputJSONMemBufferCallback(), PcapFileGetFilename(), LogFileCtx_::prefix, LogFileCtx_::prefix_len, LogFileCtx_::sensor_name, and TM_ECODE_OK.

Here is the call graph for this function:

◆ OutputJsonBuilderBuffer()

int OutputJsonBuilderBuffer ( JsonBuilder *  js,
OutputJsonThreadCtx ctx 
)

Definition at line 928 of file output-json.c.

References OutputJsonThreadCtx_::buffer, OutputJsonThreadCtx_::file_ctx, LogFileCtx_::is_pcap_offline, PcapFileGetFilename(), and LogFileCtx_::sensor_name.

Here is the call graph for this function:

◆ OutputJsonInitCtx()

OutputInitResult OutputJsonInitCtx ( ConfNode conf)

Create a new LogFileCtx for "fast" output style.

Parameters
confThe configuration node for this output.
Returns
A LogFileCtx pointer on success, NULL on failure.

Definition at line 1037 of file output-json.c.

References ConfGet(), ConfNodeLookupChildValue(), OutputCtx_::data, OutputCtx_::DeInit, OutputJsonCtx_::file_ctx, LogFileNewCtx(), SCCalloc, SCLogDebug, SCLogWarning, SCStrdup, LogFileCtx_::sensor_name, and unlikely.

Referenced by OutputJsonRegister().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ OutputJSONMemBufferCallback()

int OutputJSONMemBufferCallback ( const char *  str,
size_t  size,
void *  data 
)

Definition at line 886 of file output-json.c.

References OutputJSONMemBufferWrapper_::buffer, OutputJSONMemBufferWrapper_::expand_by, MEMBUFFER_OFFSET, MEMBUFFER_SIZE, MemBufferExpand(), MemBufferWriteRaw(), and str.

Referenced by OutputJSONBuffer().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ OutputJsonRegister()

void OutputJsonRegister ( void  )

Definition at line 91 of file output-json.c.

References MODULE_NAME, OutputJsonInitCtx(), and OutputRegisterModule().

Referenced by OutputRegisterLoggers().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ SCJsonString()

json_t* SCJsonString ( const char *  val)

Definition at line 104 of file output-json.c.

References MAX_JSON_SIZE, offset, and PrintBufferData.

Variable Documentation

◆ json_addr_info_zero

const JsonAddrInfo json_addr_info_zero

Definition at line 89 of file output-json.c.

Referenced by JsonBuildFileInfoRecord().