- Generated on Thu May 15 2025 23:30:49 for suricata by
1.8.18
|
suricata
|
Structure used to define an EVE output file type plugin. More...
#include <output-eve.h>
Public Member Functions | |
| TAILQ_ENTRY (SCEveFileType_) entries | |
Data Fields | |
| const char * | name |
| The name of the output, used in the configuration. More... | |
| int(* | Init )(const SCConfNode *conf, const bool threaded, void **init_data) |
| Function to initialize this filetype. More... | |
| int(* | ThreadInit )(const void *init_data, const ThreadId thread_id, void **thread_data) |
| Initialize thread specific data. More... | |
| int(* | Write )(const char *buffer, const int buffer_len, const void *init_data, void *thread_data) |
| Called for each EVE log record. More... | |
| void(* | ThreadDeinit )(const void *init_data, void *thread_data) |
| Called to deinitialize each thread. More... | |
| void(* | Deinit )(void *init_data) |
| Final call to deinitialize this filetype. More... | |
Structure used to define an EVE output file type plugin.
EVE filetypes implement an object with a file-like interface and are used to output EVE log records to files, syslog, or database. They can be built-in such as the syslog (see SyslogInitialize()) and nullsink (see NullLogInitialize()) outputs, registered by a library user or dynamically loaded as a plugin.
The life cycle of an EVE filetype is:
Examples:
The EVE logging system can be configured by the Suricata user to run in threaded or non-threaded modes. In the default non-threaded mode, ThreadInit will only be called once and the filetype does not need to be concerned with threads.
However, in threaded mode, ThreadInit will be called multiple times and the filetype needs to be thread aware and thread-safe. If utilizing a unique resource such as a file for each thread then you may be naturally thread safe. However, if sharing a single file handle across all threads then your filetype will have to take care of locking, etc.
Definition at line 74 of file output-eve.h.
| SCEveFileType_::TAILQ_ENTRY | ( | SCEveFileType_ | ) |
| void(* SCEveFileType_::Deinit) (void *init_data) |
Final call to deinitialize this filetype.
Called, usually on exit to deinitialize and free any resources allocated during Init.
| init_data | Data setup in the call to Init. |
Definition at line 167 of file output-eve.h.
Referenced by LogFileFreeCtx().
| int(* SCEveFileType_::Init) (const SCConfNode *conf, const bool threaded, void **init_data) |
Function to initialize this filetype.
| conf | The ConfNode of the eve-log configuration section this filetype is being initialized for |
| threaded | Flag to specify if the EVE sub-systems is in threaded mode or not |
| init_data | An output pointer for filetype specific data |
| 0 | on success, -1 on failure |
Definition at line 104 of file output-eve.h.
Referenced by NullLogInitialize(), PluginInit(), and SyslogInitialize().
| const char* SCEveFileType_::name |
The name of the output, used in the configuration.
This name is used by the configuration file to specify the EVE filetype used.
For example:
Definition at line 89 of file output-eve.h.
Referenced by NullLogInitialize(), PluginInit(), SCEveFindFileType(), and SyslogInitialize().
| void(* SCEveFileType_::ThreadDeinit) (const void *init_data, void *thread_data) |
Called to deinitialize each thread.
This function will be called for each thread. It is where any resources allocated in ThreadInit should be released.
| init_data | The data setup in Init |
| thread_data | The data setup in ThreadInit |
Definition at line 157 of file output-eve.h.
Referenced by LogFileFreeCtx().
| int(* SCEveFileType_::ThreadInit) (const void *init_data, const ThreadId thread_id, void **thread_data) |
Initialize thread specific data.
Initialize any thread specific data. For example, if implementing a file output you might open the files here, so you have one output file per thread.
| init_data | Data setup during Init |
| thread_id | A unique ID to differentiate this thread from others. If EVE is not in threaded mode this will be called one with a ThreadId of 0. In threaded mode the ThreadId of 0 correlates to the main Suricata thread. |
| thread_data | Output pointer for any data required by this thread. |
| 0 | on success, -1 on failure |
Definition at line 125 of file output-eve.h.
| int(* SCEveFileType_::Write) (const char *buffer, const int buffer_len, const void *init_data, void *thread_data) |
Called for each EVE log record.
The Write function is called for each log EVE log record. The provided buffer contains a fully formatted EVE record in JSON format.
| buffer | The fully formatted JSON EVE log record |
| buffer_len | The length of the buffer |
| init_data | The data setup in the call to Init |
| thread_data | The data setup in the call to ThreadInit |
| 0 | on success, -1 on failure |
Definition at line 144 of file output-eve.h.
Referenced by LogFileWrite().
1.8.18