suricata
Public Member Functions | Data Fields
SCEveFileType_ Struct Reference

Structure used to define an EVE output file type. More...

#include <output-eve-bindgen.h>

Collaboration diagram for SCEveFileType_:
Collaboration graph
[legend]

Public Member Functions

 TAILQ_ENTRY (SCEveFileType_) entries
 
 TAILQ_ENTRY (SCEveFileType_) entries
 

Data Fields

const char * name
 The name of the output, used in the configuration. More...
 
SCEveFileTypeInitFunc Init
 Function to initialize this filetype. More...
 
SCEveFileTypeThreadInitFunc ThreadInit
 Initialize thread specific data. More...
 
SCEveFileTypeWriteFunc Write
 Called for each EVE log record. More...
 
SCEveFileTypeThreadDeinitFunc ThreadDeinit
 Called to deinitialize each thread. More...
 
SCEveFileTypeDeinitFunc Deinit
 Final call to deinitialize this filetype. More...
 

Detailed Description

Structure used to define an EVE output file type.

EVE filetypes implement an object with a file-like interface and are used to output EVE log records to files, syslog, or database. They can be built-in such as the syslog (see SyslogInitialize()) and nullsink (see NullLogInitialize()) outputs, registered by a library user or dynamically loaded as a plugin.

The life cycle of an EVE filetype is:

  • Init: called once for each EVE instance using this filetype
  • ThreadInit: called once for each output thread
  • Write: called for each log record
  • ThreadDeinit: called once for each output thread on exit
  • Deinit: called once for each EVE instance using this filetype on exit

Examples:

Multi-Threaded Note:

The EVE logging system can be configured by the Suricata user to run in threaded or non-threaded modes. In the default non-threaded mode, ThreadInit will only be called once and the filetype does not need to be concerned with threads.

However, in threaded mode, ThreadInit will be called multiple times and the filetype needs to be thread aware and thread-safe. If utilizing a unique resource such as a file for each thread then you may be naturally thread safe. However, if sharing a single file handle across all threads then your filetype will have to take care of locking, etc.

EVE filetypes implement an object with a file-like interface and are used to output EVE log records to files, syslog, or database. They can be built-in such as the syslog (see SyslogInitialize()) and nullsink (see NullLogInitialize()) outputs, registered by a library user or dynamically loaded as a plugin.

The life cycle of an EVE filetype is:

  • Init: called once for each EVE instance using this filetype
  • ThreadInit: called once for each output thread
  • Write: called for each log record
  • ThreadDeinit: called once for each output thread on exit
  • Deinit: called once for each EVE instance using this filetype on exit

Examples:

Multi-Threaded Note:

The EVE logging system can be configured by the Suricata user to run in threaded or non-threaded modes. In the default non-threaded mode, ThreadInit will only be called once and the filetype does not need to be concerned with threads.

However, in threaded mode, ThreadInit will be called multiple times and the filetype needs to be thread aware and thread-safe. If utilizing a unique resource such as a file for each thread then you may be naturally thread safe. However, if sharing a single file handle across all threads then your filetype will have to take care of locking, etc.

Definition at line 110 of file output-eve-bindgen.h.

Member Function Documentation

◆ TAILQ_ENTRY() [1/2]

SCEveFileType_::TAILQ_ENTRY ( SCEveFileType_  )

◆ TAILQ_ENTRY() [2/2]

SCEveFileType_::TAILQ_ENTRY ( SCEveFileType_  )

Field Documentation

◆ Deinit

SCEveFileTypeDeinitFunc SCEveFileType_::Deinit

Final call to deinitialize this filetype.

Called, usually on exit to deinitialize and free any resources allocated during Init.

Parameters
init_dataData setup in the call to Init.

Definition at line 202 of file output-eve-bindgen.h.

Referenced by LogFileFreeCtx().

◆ Init

SCEveFileTypeInitFunc SCEveFileType_::Init

Function to initialize this filetype.

Parameters
confThe ConfNode of the eve-log configuration section this filetype is being initialized for
threadedFlag to specify if the EVE sub-systems is in threaded mode or not
init_dataAn output pointer for filetype specific data
Return values
0on success, -1 on failure

Definition at line 140 of file output-eve-bindgen.h.

Referenced by NullLogInitialize(), PluginInit(), and SyslogInitialize().

◆ name

const char * SCEveFileType_::name

The name of the output, used in the configuration.

This name is used by the configuration file to specify the EVE filetype used.

For example:

outputs:
- eve-log:
filetype: my-output-name

Definition at line 125 of file output-eve-bindgen.h.

Referenced by NullLogInitialize(), PluginInit(), SCEveFindFileType(), and SyslogInitialize().

◆ ThreadDeinit

SCEveFileTypeThreadDeinitFunc SCEveFileType_::ThreadDeinit

Called to deinitialize each thread.

This function will be called for each thread. It is where any resources allocated in ThreadInit should be released.

Parameters
init_dataThe data setup in Init
thread_dataThe data setup in ThreadInit

Definition at line 192 of file output-eve-bindgen.h.

Referenced by LogFileFreeCtx().

◆ ThreadInit

SCEveFileTypeThreadInitFunc SCEveFileType_::ThreadInit

Initialize thread specific data.

Initialize any thread specific data. For example, if implementing a file output you might open the files here, so you have one output file per thread.

Parameters
init_dataData setup during Init
thread_idA unique ID to differentiate this thread from others. If EVE is not in threaded mode this will be called once with a ThreadId of 0. In threaded mode the ThreadId of 0 correlates to the main Suricata thread.
thread_dataOutput pointer for any data required by this thread.
Return values
0on success, -1 on failure

Definition at line 161 of file output-eve-bindgen.h.

◆ Write

SCEveFileTypeWriteFunc SCEveFileType_::Write

Called for each EVE log record.

The Write function is called for each log EVE log record. The provided buffer contains a fully formatted EVE record in JSON format.

Parameters
bufferThe fully formatted JSON EVE log record
buffer_lenThe length of the buffer
init_dataThe data setup in the call to Init
thread_dataThe data setup in the call to ThreadInit
Return values
0on success, -1 on failure

Definition at line 180 of file output-eve-bindgen.h.

Referenced by LogFileWrite().

The documentation for this struct was generated from the following files: