suricata
Data Structures | Macros | Typedefs | Functions | Variables
output-json.c File Reference
#include "suricata-common.h"
#include "flow.h"
#include "conf.h"
#include "util-debug.h"
#include "util-time.h"
#include "util-var-name.h"
#include "util-macset.h"
#include "util-unittest.h"
#include "util-unittest-helper.h"
#include "detect-engine.h"
#include "util-classification-config.h"
#include "util-syslog.h"
#include "output-eve-syslog.h"
#include "output-eve-null.h"
#include "output.h"
#include "output-json.h"
#include "util-byte.h"
#include "util-print.h"
#include "util-proto-name.h"
#include "util-optimize.h"
#include "util-buffer.h"
#include "util-logopenfile.h"
#include "util-log-redis.h"
#include "util-device.h"
#include "util-validate.h"
#include "flow-var.h"
#include "flow-bit.h"
#include "flow-storage.h"
#include "source-pcap-file-helper.h"
Include dependency graph for output-json.c:

Go to the source code of this file.

Data Structures

struct  JSONMACAddrInfo
 

Macros

#define DEFAULT_LOG_FILENAME   "eve.json"
 
#define MODULE_NAME   "OutputJSON"
 
#define MAX_JSON_SIZE   2048
 
#define COMMUNITY_ID_BUF_SIZE   64
 

Typedefs

typedef struct JSONMACAddrInfo JSONMACAddrInfo
 

Functions

void OutputJsonRegister (void)
 
json_t * SCJsonString (const char *val)
 
void EveFileInfo (JsonBuilder *jb, const File *ff, const uint64_t tx_id, const uint16_t flags)
 
void EveAddMetadata (const Packet *p, const Flow *f, JsonBuilder *js)
 
void EveAddCommonOptions (const OutputJsonCommonSettings *cfg, const Packet *p, const Flow *f, JsonBuilder *js, enum OutputJsonLogDirection dir)
 
void EvePacket (const Packet *p, JsonBuilder *js, uint32_t max_length)
 Jsonify a packet. More...
 
void EveTcpFlags (const uint8_t flags, JsonBuilder *js)
 jsonify tcp flags field Only add 'true' fields in an attempt to keep things reasonably compact. More...
 
void JsonAddrInfoInit (const Packet *p, enum OutputJsonLogDirection dir, JsonAddrInfo *addr)
 
void CreateEveFlowId (JsonBuilder *js, const Flow *f)
 
void JSONFormatAndAddMACAddr (JsonBuilder *js, const char *key, const uint8_t *val, bool is_array)
 
JsonBuilder * CreateEveHeader (const Packet *p, enum OutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr, OutputJsonCtx *eve_ctx)
 
JsonBuilder * CreateEveHeaderWithTxId (const Packet *p, enum OutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr, uint64_t tx_id, OutputJsonCtx *eve_ctx)
 
int OutputJSONMemBufferCallback (const char *str, size_t size, void *data)
 
int OutputJSONBuffer (json_t *js, LogFileCtx *file_ctx, MemBuffer **buffer)
 
int OutputJsonBuilderBuffer (ThreadVars *tv, const Packet *p, Flow *f, JsonBuilder *js, OutputJsonThreadCtx *ctx)
 
OutputInitResult OutputJsonInitCtx (ConfNode *conf)
 Create a new LogFileCtx for "fast" output style. More...
 

Variables

const JsonAddrInfo json_addr_info_zero
 

Detailed Description

Author
Tom DeCanio td@np.nosp@m.ulse.nosp@m.tech..nosp@m.com

Logs detection and monitoring events in JSON format.

Definition in file output-json.c.

Macro Definition Documentation

◆ COMMUNITY_ID_BUF_SIZE

#define COMMUNITY_ID_BUF_SIZE   64

Definition at line 575 of file output-json.c.

◆ DEFAULT_LOG_FILENAME

#define DEFAULT_LOG_FILENAME   "eve.json"

Definition at line 67 of file output-json.c.

◆ MAX_JSON_SIZE

#define MAX_JSON_SIZE   2048

Definition at line 70 of file output-json.c.

◆ MODULE_NAME

#define MODULE_NAME   "OutputJSON"

Definition at line 68 of file output-json.c.

Typedef Documentation

◆ JSONMACAddrInfo

typedef struct JSONMACAddrInfo JSONMACAddrInfo

Function Documentation

◆ CreateEveFlowId()

void CreateEveFlowId ( JsonBuilder *  js,
const Flow f 
)

Definition at line 689 of file output-json.c.

Referenced by CreateEveHeader().

Here is the caller graph for this function:

◆ CreateEveHeader()

JsonBuilder* CreateEveHeader ( const Packet p,
enum OutputJsonLogDirection  dir,
const char *  event_type,
JsonAddrInfo addr,
OutputJsonCtx eve_ctx 
)

Definition at line 806 of file output-json.c.

References CreateEveFlowId(), CreateIsoTimeString(), Packet_::flow, Packet_::ts, and unlikely.

Referenced by CreateEveHeaderWithTxId(), and RulesDumpMatchArray().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ CreateEveHeaderWithTxId()

JsonBuilder* CreateEveHeaderWithTxId ( const Packet p,
enum OutputJsonLogDirection  dir,
const char *  event_type,
JsonAddrInfo addr,
uint64_t  tx_id,
OutputJsonCtx eve_ctx 
)

Definition at line 902 of file output-json.c.

References CreateEveHeader(), and unlikely.

Referenced by RulesDumpTxMatchArray().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ EveAddCommonOptions()

void EveAddCommonOptions ( const OutputJsonCommonSettings cfg,
const Packet p,
const Flow f,
JsonBuilder *  js,
enum OutputJsonLogDirection  dir 
)

Definition at line 398 of file output-json.c.

References EveAddMetadata(), OutputJsonCommonSettings_::include_ethernet, and OutputJsonCommonSettings_::include_metadata.

Here is the call graph for this function:

◆ EveAddMetadata()

void EveAddMetadata ( const Packet p,
const Flow f,
JsonBuilder *  js 
)

Definition at line 375 of file output-json.c.

References Flow_::flowvar, and Packet_::pktvar.

Referenced by EveAddCommonOptions().

Here is the caller graph for this function:

◆ EveFileInfo()

void EveFileInfo ( JsonBuilder *  jb,
const File ff,
const uint64_t  tx_id,
const uint16_t  flags 
)

Definition at line 124 of file output-json.c.

References File_::end, FILE_HAS_GAPS, FILE_MD5, FILE_SHA1, FILE_SHA256, FILE_STATE_CLOSED, FILE_STATE_ERROR, FILE_STATE_TRUNCATED, FILE_STORE, File_::file_store_id, FILE_STORED, FileTrackedSize(), flags, File_::flags, JB_SET_FALSE, JB_SET_STRING, JB_SET_TRUE, File_::md5, File_::name, File_::name_len, File_::sha1, File_::sha256, File_::sid, File_::sid_cnt, File_::start, and File_::state.

Here is the call graph for this function:

◆ EvePacket()

void EvePacket ( const Packet p,
JsonBuilder *  js,
uint32_t  max_length 
)

Jsonify a packet.

Parameters
pPacket
jsJSON object
max_lengthIf non-zero, restricts the number of packet data bytes handled.

Definition at line 422 of file output-json.c.

References Packet_::datalink, GET_PKT_DATA, and GET_PKT_LEN.

◆ EveTcpFlags()

void EveTcpFlags ( const uint8_t  flags,
JsonBuilder *  js 
)

jsonify tcp flags field Only add 'true' fields in an attempt to keep things reasonably compact.

Definition at line 439 of file output-json.c.

References flags, JB_SET_TRUE, TH_ACK, TH_CWR, TH_ECN, TH_FIN, TH_PUSH, TH_RST, TH_SYN, and TH_URG.

◆ JsonAddrInfoInit()

void JsonAddrInfoInit ( const Packet p,
enum OutputJsonLogDirection  dir,
JsonAddrInfo addr 
)

Definition at line 459 of file output-json.c.

References LOG_DIR_PACKET.

Referenced by JsonBuildFileInfoRecord().

Here is the caller graph for this function:

◆ JSONFormatAndAddMACAddr()

void JSONFormatAndAddMACAddr ( JsonBuilder *  js,
const char *  key,
const uint8_t *  val,
bool  is_array 
)

Definition at line 701 of file output-json.c.

◆ OutputJSONBuffer()

int OutputJSONBuffer ( json_t *  js,
LogFileCtx file_ctx,
MemBuffer **  buffer 
)

Definition at line 929 of file output-json.c.

References OutputJSONMemBufferWrapper_::buffer, LogFileCtx_::is_pcap_offline, LogFileCtx_::json_flags, JSON_OUTPUT_BUFFER_SIZE, LogFileWrite(), MemBufferWriteRaw(), OutputJSONMemBufferCallback(), PcapFileGetFilename(), LogFileCtx_::prefix, LogFileCtx_::prefix_len, LogFileCtx_::sensor_name, and TM_ECODE_OK.

Here is the call graph for this function:

◆ OutputJsonBuilderBuffer()

int OutputJsonBuilderBuffer ( ThreadVars tv,
const Packet p,
Flow f,
JsonBuilder *  js,
OutputJsonThreadCtx ctx 
)

Definition at line 958 of file output-json.c.

References ctx, LogFileCtx_::is_pcap_offline, PcapFileGetFilename(), SCEveRunCallbacks(), LogFileCtx_::sensor_name, and tv.

Here is the call graph for this function:

◆ OutputJsonInitCtx()

OutputInitResult OutputJsonInitCtx ( ConfNode conf)

Create a new LogFileCtx for "fast" output style.

Parameters
confThe configuration node for this output.
Returns
A LogFileCtx pointer on success, NULL on failure.

Definition at line 1073 of file output-json.c.

References ConfGet(), ConfNodeLookupChildValue(), OutputCtx_::data, OutputCtx_::DeInit, OutputJsonCtx_::file_ctx, LogFileNewCtx(), SCCalloc, SCLogDebug, SCLogWarning, SCStrdup, LogFileCtx_::sensor_name, and unlikely.

Referenced by OutputJsonRegister().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ OutputJSONMemBufferCallback()

int OutputJSONMemBufferCallback ( const char *  str,
size_t  size,
void *  data 
)

Definition at line 915 of file output-json.c.

References OutputJSONMemBufferWrapper_::buffer, DEBUG_VALIDATE_BUG_ON, OutputJSONMemBufferWrapper_::expand_by, MEMBUFFER_OFFSET, MEMBUFFER_SIZE, MemBufferExpand(), MemBufferWriteRaw(), and str.

Referenced by OutputJSONBuffer().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ OutputJsonRegister()

void OutputJsonRegister ( void  )

Definition at line 83 of file output-json.c.

References MODULE_NAME, OutputJsonInitCtx(), and OutputRegisterModule().

Referenced by OutputRegisterLoggers().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ SCJsonString()

json_t* SCJsonString ( const char *  val)

Definition at line 96 of file output-json.c.

References MAX_JSON_SIZE, offset, and PrintBufferData.

Variable Documentation

◆ json_addr_info_zero

const JsonAddrInfo json_addr_info_zero

Definition at line 81 of file output-json.c.

Referenced by JsonBuildFileInfoRecord().