aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'b1200dba54'
${ noResults }
suricata/src/output.h

152 lines
6.1 KiB
C
Raw Normal View History Unescape Escape

Import of GPLv2 Header 050410
15 years ago
/* Copyright (C) 2007-2010 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
Have output modules register themselves so run mode configurator becomes aware of them for purposes of being configured from the config file.
16 years ago
/**
* \file
Import of GPLv2 Header 050410
15 years ago
*
Have output modules register themselves so run mode configurator becomes aware of them for purposes of being configured from the config file.
16 years ago
* \author Endace Technology Limited, Jason Ish <jason.ish@endace.com>
*/
#ifndef __OUTPUT_H__
#define __OUTPUT_H__
Unified output fixes: alert count per module (not per thread), fix timestamps on pcap mode, write *all* the alerts of a packet, write the log header once also on unified alert
16 years ago
#include "suricata.h"
Add per packet profiling. Per packet profiling uses tick based accounting. It has 2 outputs, a summary and a csv file that contains per packet stats. Stats per packet include: 1) total ticks spent 2) ticks spent per individual thread module 3) "threading overhead" which is simply calculated by subtracting (2) of (1). A number of changes were made to integrate the new code in a clean way: a number of generic enums are now placed in tm-threads-common.h so we can include them from any part of the engine. Code depends on --enable-profiling just like the rule profiling code. New yaml parameters: profiling: # packet profiling packets: # Profiling can be disabled here, but it will still have a # performance impact if compiled in. enabled: yes filename: packet_stats.log append: yes # per packet csv output csv: # Output can be disabled here, but it will still have a # performance impact if compiled in. enabled: no filename: packet_stats.csv Example output of summary stats: IP ver Proto cnt min max avg ------ ----- ------ ------ ---------- ------- IPv4 6 19436 11448 5404365 32993 IPv4 256 4 11511 49968 30575 Per Thread module stats: Thread Module IP ver Proto cnt min max avg ------------------------ ------ ----- ------ ------ ---------- ------- TMM_DECODEPCAPFILE IPv4 6 19434 1242 47889 1770 TMM_DETECT IPv4 6 19436 1107 137241 1504 TMM_ALERTFASTLOG IPv4 6 19436 90 1323 155 TMM_ALERTUNIFIED2ALERT IPv4 6 19436 108 1359 138 TMM_ALERTDEBUGLOG IPv4 6 19436 90 1134 154 TMM_LOGHTTPLOG IPv4 6 19436 414 5392089 7944 TMM_STREAMTCP IPv4 6 19434 828 1299159 19438 The proto 256 is a counter for handling of pseudo/tunnel packets. Example output of csv: pcap_cnt,ipver,ipproto,total,TMM_DECODENFQ,TMM_VERDICTNFQ,TMM_RECEIVENFQ,TMM_RECEIVEPCAP,TMM_RECEIVEPCAPFILE,TMM_DECODEPCAP,TMM_DECODEPCAPFILE,TMM_RECEIVEPFRING,TMM_DECODEPFRING,TMM_DETECT,TMM_ALERTFASTLOG,TMM_ALERTFASTLOG4,TMM_ALERTFASTLOG6,TMM_ALERTUNIFIEDLOG,TMM_ALERTUNIFIEDALERT,TMM_ALERTUNIFIED2ALERT,TMM_ALERTPRELUDE,TMM_ALERTDEBUGLOG,TMM_ALERTSYSLOG,TMM_LOGDROPLOG,TMM_ALERTSYSLOG4,TMM_ALERTSYSLOG6,TMM_RESPONDREJECT,TMM_LOGHTTPLOG,TMM_LOGHTTPLOG4,TMM_LOGHTTPLOG6,TMM_PCAPLOG,TMM_STREAMTCP,TMM_DECODEIPFW,TMM_VERDICTIPFW,TMM_RECEIVEIPFW,TMM_RECEIVEERFFILE,TMM_DECODEERFFILE,TMM_RECEIVEERFDAG,TMM_DECODEERFDAG,threading 1,4,6,172008,0,0,0,0,0,0,47889,0,0,48582,1323,0,0,0,0,1359,0,1134,0,0,0,0,0,8028,0,0,0,49356,0,0,0,0,0,0,0,14337 First line of the file contains labels. 2 example gnuplot scripts added to plot the data.
14 years ago
#include "tm-threads.h"
Unified output fixes: alert count per module (not per thread), fix timestamps on pcap mode, write *all* the alerts of a packet, write the log header once also on unified alert
16 years ago
added support for appending the log files
15 years ago
#define DEFAULT_LOG_MODE_APPEND "yes"
SCConfLogOpenGeneric() abstraction for regular and AF_UNIX logs. util-logopenfile.[ch] implements the abstraction; util-error.[ch] modified to include a socket-specific error code; output.h adds a default filetype for logs ("regular").
14 years ago
#define DEFAULT_LOG_FILETYPE "regular"
added support for appending the log files
15 years ago
Introduce packet logging output API This patch introduces a new API for outputs that log based on the packet, such as alert outputs. In converts fast-log to the new API. The API gets rid of the concept of each logger being a thread module, but instead there is one thread module that runs all packet loggers. Through the registration function OutputRegisterPacketModule a log module can register itself to be considered for each packet. Each logger registers itself to this new API with 2 functions and the OutputCtx object that was already used in the old implementation. The function pointers are: LogFunc: the log function ConditionFunc: this function is called before the LogFunc and only if this returns TRUE the LogFunc is called. For a simple alert logger like fast-log, the condition function will simply return TRUE if p->alerts.cnt > 0.
12 years ago
#include "output-packet.h"
Introduce TX logging API This patch introduces a new API for logging transactions from tx-aware app layer protocols. It runs all the registered loggers from a single thread module. This thread module takes care of the transaction handling and flow locking. The logger just gets a transaction to log out. All loggers for a protocol will be run at the same time, so there will not be any timing differences. Loggers will no longer act as Thread Modules in the strictest sense. The Func is NULL, and SetupOuputs no longer attaches them to the thread module chain individually. Instead, after registering through OutputRegisterTxModule, the setup data is used in the single logging module. The logger (LogFunc) is called for each transaction once, at the end of the transaction.
12 years ago
#include "output-tx.h"
Introduce 'file' logging API This patch introduces a new logging API for logging extracted file info. It allows for registration of a callback that is called once per file: when it's considered 'closed'. Users of this API register their Log Function through: OutputRegisterFileModule() The API uses a magic settings globally. This might be changed later.
12 years ago
#include "output-file.h"
Introduce Filedata Logger API A new logger API for registering file storage handlers. Where the FileLog handler is called once per file, this handler will be called for each data chunk so that storing the entire file is possible. The logger call in the API is as follows: typedef int (*FiledataLogger)(ThreadVars *, void *thread_data, const Packet *, const File *, const FileData *, uint8_t flags); All data is const, thus should be read only. The final flags field is used to indicate to the caller that the file is new, or if it's being closed. Files use an internal unique id 'file_id' which can be used by the loggers to create unique file names. This id can use the 'waldo' feature of the log-filestore module. This patch moves that waldo loading and storing logic to this API's implementation. A new configuration directive 'file-store-waldo: <filename>' is added, but the existing waldo settings will also continue to work.
12 years ago
#include "output-filedata.h"
flow: flow log threading setup Set up threading for the flow logger.
11 years ago
#include "output-flow.h"
output-streaming: a Log API for streaming data This patch adds a new Log API for streaming data such as TCP reassembled data and HTTP body data. It could also replace Filedata API. Each time a new chunk of data is available, the callback will be called.
11 years ago
#include "output-streaming.h"
Introduce stats log API, convert existing output Convert regular 'stats.log' output to this new API. In addition to the current stats value, also give the last value. This makes it easy to display the difference.
11 years ago
#include "output-stats.h"
Introduce packet logging output API This patch introduces a new API for outputs that log based on the packet, such as alert outputs. In converts fast-log to the new API. The API gets rid of the concept of each logger being a thread module, but instead there is one thread module that runs all packet loggers. Through the registration function OutputRegisterPacketModule a log module can register itself to be considered for each packet. Each logger registers itself to this new API with 2 functions and the OutputCtx object that was already used in the old implementation. The function pointers are: LogFunc: the log function ConditionFunc: this function is called before the LogFunc and only if this returns TRUE the LogFunc is called. For a simple alert logger like fast-log, the condition function will simply return TRUE if p->alerts.cnt > 0.
12 years ago
Have output modules register themselves so run mode configurator becomes aware of them for purposes of being configured from the config file.
16 years ago
typedef struct OutputModule_ {
log api: convert all names to const Instead of strdupping all names w/o a need, use const ptrs.
12 years ago
const char *name;
const char *conf_name;
const char *parent_name;
Have output plugs use an OutputCtx which is a little more generic than LogFileCtx. The OutputCtx provides a place for module private data to avoi overriding the LogFileCtx.
16 years ago
OutputCtx *(*InitFunc)(ConfNode *);
output: introduce concept of sub-modules To support the 'eve-log' idea, we need to be able to force all log modules to be enabled by the master eve-log module, and need to be able to make all logs go into a single file. This didn't fit the API so far, so added the sub-module concept. A sub-module is a regular module, that registers itself as a sub- module of another module: OutputRegisterTxSubModule("eve-log", "JsonHttpLog", "http", OutputHttpLogInitSub, ALPROTO_HTTP, JsonHttpLogger); The first argument is the name of the parent. The 4th argument is the OutputCtx init function. It differs slightly from the non-sub one. The different is that in addition to it's ConfNode, it gets the OutputCtx from the parent. This way it can set the parents LogFileCtx in it's own OutputCtx. The runmode setup code will take care of all the extra setup. It's possible to register a module both as a normal module and as a sub- module, which can operate at the same time. Only the TxLogger API is handled in this patch, the rest will be updated later.
12 years ago
OutputCtx *(*InitSubFunc)(ConfNode *, OutputCtx *parent_ctx);
Have output modules register themselves so run mode configurator becomes aware of them for purposes of being configured from the config file.
16 years ago
logging: convert dns log to a non-thread module
9 years ago
TmEcode (*ThreadInit)(ThreadVars *, void *, void **);
TmEcode (*ThreadDeinit)(ThreadVars *, void *);
void (*ThreadExitPrintStats)(ThreadVars *, void *);
Introduce packet logging output API This patch introduces a new API for outputs that log based on the packet, such as alert outputs. In converts fast-log to the new API. The API gets rid of the concept of each logger being a thread module, but instead there is one thread module that runs all packet loggers. Through the registration function OutputRegisterPacketModule a log module can register itself to be considered for each packet. Each logger registers itself to this new API with 2 functions and the OutputCtx object that was already used in the old implementation. The function pointers are: LogFunc: the log function ConditionFunc: this function is called before the LogFunc and only if this returns TRUE the LogFunc is called. For a simple alert logger like fast-log, the condition function will simply return TRUE if p->alerts.cnt > 0.
12 years ago
PacketLogger PacketLogFunc;
PacketLogCondition PacketConditionFunc;
Introduce TX logging API This patch introduces a new API for logging transactions from tx-aware app layer protocols. It runs all the registered loggers from a single thread module. This thread module takes care of the transaction handling and flow locking. The logger just gets a transaction to log out. All loggers for a protocol will be run at the same time, so there will not be any timing differences. Loggers will no longer act as Thread Modules in the strictest sense. The Func is NULL, and SetupOuputs no longer attaches them to the thread module chain individually. Instead, after registering through OutputRegisterTxModule, the setup data is used in the single logging module. The logger (LogFunc) is called for each transaction once, at the end of the transaction.
12 years ago
TxLogger TxLogFunc;
output: add new tx logger to log at certain condition Some loggers needs certain conditions to be met before logging. This enables us to use conditions on the tx logger.
9 years ago
TxLoggerCondition TxLogCondition;
Introduce 'file' logging API This patch introduces a new logging API for logging extracted file info. It allows for registration of a callback that is called once per file: when it's considered 'closed'. Users of this API register their Log Function through: OutputRegisterFileModule() The API uses a magic settings globally. This might be changed later.
12 years ago
FileLogger FileLogFunc;
Introduce Filedata Logger API A new logger API for registering file storage handlers. Where the FileLog handler is called once per file, this handler will be called for each data chunk so that storing the entire file is possible. The logger call in the API is as follows: typedef int (*FiledataLogger)(ThreadVars *, void *thread_data, const Packet *, const File *, const FileData *, uint8_t flags); All data is const, thus should be read only. The final flags field is used to indicate to the caller that the file is new, or if it's being closed. Files use an internal unique id 'file_id' which can be used by the loggers to create unique file names. This id can use the 'waldo' feature of the log-filestore module. This patch moves that waldo loading and storing logic to this API's implementation. A new configuration directive 'file-store-waldo: <filename>' is added, but the existing waldo settings will also continue to work.
12 years ago
FiledataLogger FiledataLogFunc;
flow: flow log threading setup Set up threading for the flow logger.
11 years ago
FlowLogger FlowLogFunc;
output-streaming: a Log API for streaming data This patch adds a new Log API for streaming data such as TCP reassembled data and HTTP body data. It could also replace Filedata API. Each time a new chunk of data is available, the callback will be called.
11 years ago
StreamingLogger StreamingLogFunc;
Introduce stats log API, convert existing output Convert regular 'stats.log' output to this new API. In addition to the current stats value, also give the last value. This makes it easy to display the difference.
11 years ago
StatsLogger StatsLogFunc;
log api: use AppProto instead of uint16_t
12 years ago
AppProto alproto;
streaming logger: support Http Body logging Add an argument to the registration to indicate which iterator needs to be used: Stream or HttpBody Add HttpBody Iterator, calling the logger(s) for each Http body chunk.
11 years ago
enum OutputStreamingType stream_type;
output: add new logger to log at specified state Sometimes we want to log when we reach a specified state instead of waiting for the session to end. E.g for TLS we want to log as soon as the handshake is done. To do this, a new logger is added, where it is possible to specify a custom "ProgressCompletionStatus".
9 years ago
int tc_log_progress;
int ts_log_progress;
Introduce packet logging output API This patch introduces a new API for outputs that log based on the packet, such as alert outputs. In converts fast-log to the new API. The API gets rid of the concept of each logger being a thread module, but instead there is one thread module that runs all packet loggers. Through the registration function OutputRegisterPacketModule a log module can register itself to be considered for each packet. Each logger registers itself to this new API with 2 functions and the OutputCtx object that was already used in the old implementation. The function pointers are: LogFunc: the log function ConditionFunc: this function is called before the LogFunc and only if this returns TRUE the LogFunc is called. For a simple alert logger like fast-log, the condition function will simply return TRUE if p->alerts.cnt > 0.
12 years ago
Have output modules register themselves so run mode configurator becomes aware of them for purposes of being configured from the config file.
16 years ago
TAILQ_ENTRY(OutputModule_) entries;
} OutputModule;
logging: setup all registered loggers for a name When setting up a configured logger, do so for all registered loggers of that name instead of just the first registered one. This allows a logger to register itself more than once, which can allow for independent logging of requests and replies without touching the core transaction handling logic. We do this so just having "dns" in the eve-log can configured multiple "dns" loggers instead of having something like "dns-tc" and "dns-ts" in the configuration file.
9 years ago
typedef TAILQ_HEAD(OutputModuleList_, OutputModule_) OutputModuleList;
extern OutputModuleList output_modules;
log api: convert all names to const Instead of strdupping all names w/o a need, use const ptrs.
12 years ago
void OutputRegisterModule(const char *, const char *, OutputCtx *(*)(ConfNode *));
Introduce packet logging output API This patch introduces a new API for outputs that log based on the packet, such as alert outputs. In converts fast-log to the new API. The API gets rid of the concept of each logger being a thread module, but instead there is one thread module that runs all packet loggers. Through the registration function OutputRegisterPacketModule a log module can register itself to be considered for each packet. Each logger registers itself to this new API with 2 functions and the OutputCtx object that was already used in the old implementation. The function pointers are: LogFunc: the log function ConditionFunc: this function is called before the LogFunc and only if this returns TRUE the LogFunc is called. For a simple alert logger like fast-log, the condition function will simply return TRUE if p->alerts.cnt > 0.
12 years ago
log api: convert all names to const Instead of strdupping all names w/o a need, use const ptrs.
12 years ago
void OutputRegisterPacketModule(const char *name, const char *conf_name,
Introduce packet logging output API This patch introduces a new API for outputs that log based on the packet, such as alert outputs. In converts fast-log to the new API. The API gets rid of the concept of each logger being a thread module, but instead there is one thread module that runs all packet loggers. Through the registration function OutputRegisterPacketModule a log module can register itself to be considered for each packet. Each logger registers itself to this new API with 2 functions and the OutputCtx object that was already used in the old implementation. The function pointers are: LogFunc: the log function ConditionFunc: this function is called before the LogFunc and only if this returns TRUE the LogFunc is called. For a simple alert logger like fast-log, the condition function will simply return TRUE if p->alerts.cnt > 0.
12 years ago
OutputCtx *(*InitFunc)(ConfNode *),
logging: convert fast log to a non-thread module
9 years ago
PacketLogger LogFunc, PacketLogCondition ConditionFunc,
ThreadInitFunc, ThreadDeinitFunc, ThreadExitPrintStatsFunc);
log api: convert all names to const Instead of strdupping all names w/o a need, use const ptrs.
12 years ago
void OutputRegisterPacketSubModule(const char *parent_name, const char *name,
const char *conf_name, OutputCtx *(*InitFunc)(ConfNode *, OutputCtx *),
output: sub-module support for other log api's Packets: void OutputRegisterPacketSubModule(const char *parent_name, char *name, char *conf_name, OutputCtx *(*InitFunc)(ConfNode *, OutputCtx *), PacketLogger LogFunc, PacketLogCondition ConditionFunc); Files: void OutputRegisterFileSubModule(const char *parent_name, char *name, char *conf_name, OutputCtx *(*InitFunc)(ConfNode *, OutputCtx *), FileLogger FileLogFunc); Filedata: void OutputRegisterFiledataSubModule(const char *parent_name, char *name, char *conf_name, OutputCtx *(*InitFunc)(ConfNode *, OutputCtx *), FiledataLogger FiledataLogFunc);
12 years ago
PacketLogger LogFunc, PacketLogCondition ConditionFunc);
log api: convert all names to const Instead of strdupping all names w/o a need, use const ptrs.
12 years ago
void OutputRegisterTxModule(const char *name, const char *conf_name,
log api: use AppProto instead of uint16_t
12 years ago
OutputCtx *(*InitFunc)(ConfNode *), AppProto alproto,
logging: convert dns log to a non-thread module
9 years ago
TxLogger TxLogFunc, TmEcode (*ThreadInit)(ThreadVars *t, void *, void **),
TmEcode (*ThreadDeinit)(ThreadVars *t, void *),
void (*ThreadExitPrintStats)(ThreadVars *, void *));
log api: convert all names to const Instead of strdupping all names w/o a need, use const ptrs.
12 years ago
void OutputRegisterTxSubModule(const char *parent_name, const char *name,
const char *conf_name, OutputCtx *(*InitFunc)(ConfNode *, OutputCtx *parent_ctx),
log api: use AppProto instead of uint16_t
12 years ago
AppProto alproto, TxLogger TxLogFunc);
output: sub-module support for other log api's Packets: void OutputRegisterPacketSubModule(const char *parent_name, char *name, char *conf_name, OutputCtx *(*InitFunc)(ConfNode *, OutputCtx *), PacketLogger LogFunc, PacketLogCondition ConditionFunc); Files: void OutputRegisterFileSubModule(const char *parent_name, char *name, char *conf_name, OutputCtx *(*InitFunc)(ConfNode *, OutputCtx *), FileLogger FileLogFunc); Filedata: void OutputRegisterFiledataSubModule(const char *parent_name, char *name, char *conf_name, OutputCtx *(*InitFunc)(ConfNode *, OutputCtx *), FiledataLogger FiledataLogFunc);
12 years ago
output: add new tx logger to log at certain condition Some loggers needs certain conditions to be met before logging. This enables us to use conditions on the tx logger.
9 years ago
void OutputRegisterTxModuleWithCondition(const char *name, const char *conf_name,
OutputCtx *(*InitFunc)(ConfNode *), AppProto alproto,
TxLogger TxLogFunc, TxLoggerCondition TxLogCondition);
void OutputRegisterTxSubModuleWithCondition(const char *parent_name,
const char *name, const char *conf_name, OutputCtx *(*InitFunc)(ConfNode *,
OutputCtx *parent_ctx), AppProto alproto, TxLogger TxLogFunc,
TxLoggerCondition TxLogCondition);
output: add new logger to log at specified state Sometimes we want to log when we reach a specified state instead of waiting for the session to end. E.g for TLS we want to log as soon as the handshake is done. To do this, a new logger is added, where it is possible to specify a custom "ProgressCompletionStatus".
9 years ago
void OutputRegisterTxModuleWithProgress(const char *name, const char *conf_name,
OutputCtx *(*InitFunc)(ConfNode *), AppProto alproto,
TxLogger TxLogFunc, int tc_log_progress, int ts_log_progress);
void OutputRegisterTxSubModuleWithProgress(const char *parent_name, const char *name,
const char *conf_name, OutputCtx *(*InitFunc)(ConfNode *, OutputCtx *parent_ctx),
AppProto alproto, TxLogger TxLogFunc, int tc_log_progress, int ts_log_progress);
log api: convert all names to const Instead of strdupping all names w/o a need, use const ptrs.
12 years ago
void OutputRegisterFileModule(const char *name, const char *conf_name,
Introduce 'file' logging API This patch introduces a new logging API for logging extracted file info. It allows for registration of a callback that is called once per file: when it's considered 'closed'. Users of this API register their Log Function through: OutputRegisterFileModule() The API uses a magic settings globally. This might be changed later.
12 years ago
OutputCtx *(*InitFunc)(ConfNode *), FileLogger FileLogFunc);
log api: convert all names to const Instead of strdupping all names w/o a need, use const ptrs.
12 years ago
void OutputRegisterFileSubModule(const char *parent_name, const char *name,
const char *conf_name, OutputCtx *(*InitFunc)(ConfNode *, OutputCtx *),
FileLogger FileLogFunc);
output: sub-module support for other log api's Packets: void OutputRegisterPacketSubModule(const char *parent_name, char *name, char *conf_name, OutputCtx *(*InitFunc)(ConfNode *, OutputCtx *), PacketLogger LogFunc, PacketLogCondition ConditionFunc); Files: void OutputRegisterFileSubModule(const char *parent_name, char *name, char *conf_name, OutputCtx *(*InitFunc)(ConfNode *, OutputCtx *), FileLogger FileLogFunc); Filedata: void OutputRegisterFiledataSubModule(const char *parent_name, char *name, char *conf_name, OutputCtx *(*InitFunc)(ConfNode *, OutputCtx *), FiledataLogger FiledataLogFunc);
12 years ago
log api: convert all names to const Instead of strdupping all names w/o a need, use const ptrs.
12 years ago
void OutputRegisterFiledataModule(const char *name, const char *conf_name,
Introduce Filedata Logger API A new logger API for registering file storage handlers. Where the FileLog handler is called once per file, this handler will be called for each data chunk so that storing the entire file is possible. The logger call in the API is as follows: typedef int (*FiledataLogger)(ThreadVars *, void *thread_data, const Packet *, const File *, const FileData *, uint8_t flags); All data is const, thus should be read only. The final flags field is used to indicate to the caller that the file is new, or if it's being closed. Files use an internal unique id 'file_id' which can be used by the loggers to create unique file names. This id can use the 'waldo' feature of the log-filestore module. This patch moves that waldo loading and storing logic to this API's implementation. A new configuration directive 'file-store-waldo: <filename>' is added, but the existing waldo settings will also continue to work.
12 years ago
OutputCtx *(*InitFunc)(ConfNode *), FiledataLogger FiledataLogFunc);
log api: convert all names to const Instead of strdupping all names w/o a need, use const ptrs.
12 years ago
void OutputRegisterFiledataSubModule(const char *parent_name, const char *name,
const char *conf_name, OutputCtx *(*InitFunc)(ConfNode *, OutputCtx *),
FiledataLogger FiledataLogFunc);
Introduce packet logging output API This patch introduces a new API for outputs that log based on the packet, such as alert outputs. In converts fast-log to the new API. The API gets rid of the concept of each logger being a thread module, but instead there is one thread module that runs all packet loggers. Through the registration function OutputRegisterPacketModule a log module can register itself to be considered for each packet. Each logger registers itself to this new API with 2 functions and the OutputCtx object that was already used in the old implementation. The function pointers are: LogFunc: the log function ConditionFunc: this function is called before the LogFunc and only if this returns TRUE the LogFunc is called. For a simple alert logger like fast-log, the condition function will simply return TRUE if p->alerts.cnt > 0.
12 years ago
flow: flow log threading setup Set up threading for the flow logger.
11 years ago
void OutputRegisterFlowModule(const char *name, const char *conf_name,
OutputCtx *(*InitFunc)(ConfNode *), FlowLogger FlowLogFunc);
void OutputRegisterFlowSubModule(const char *parent_name, const char *name,
const char *conf_name, OutputCtx *(*InitFunc)(ConfNode *, OutputCtx *),
FlowLogger FlowLogFunc);
output-streaming: a Log API for streaming data This patch adds a new Log API for streaming data such as TCP reassembled data and HTTP body data. It could also replace Filedata API. Each time a new chunk of data is available, the callback will be called.
11 years ago
void OutputRegisterStreamingModule(const char *name, const char *conf_name,
streaming logger: support Http Body logging Add an argument to the registration to indicate which iterator needs to be used: Stream or HttpBody Add HttpBody Iterator, calling the logger(s) for each Http body chunk.
11 years ago
OutputCtx *(*InitFunc)(ConfNode *), StreamingLogger StreamingLogFunc,
enum OutputStreamingType stream_type);
output-streaming: a Log API for streaming data This patch adds a new Log API for streaming data such as TCP reassembled data and HTTP body data. It could also replace Filedata API. Each time a new chunk of data is available, the callback will be called.
11 years ago
void OutputRegisterStreamingSubModule(const char *parent_name, const char *name,
const char *conf_name, OutputCtx *(*InitFunc)(ConfNode *, OutputCtx *),
streaming logger: support Http Body logging Add an argument to the registration to indicate which iterator needs to be used: Stream or HttpBody Add HttpBody Iterator, calling the logger(s) for each Http body chunk.
11 years ago
StreamingLogger StreamingLogFunc, enum OutputStreamingType stream_type);
output-streaming: a Log API for streaming data This patch adds a new Log API for streaming data such as TCP reassembled data and HTTP body data. It could also replace Filedata API. Each time a new chunk of data is available, the callback will be called.
11 years ago
Introduce stats log API, convert existing output Convert regular 'stats.log' output to this new API. In addition to the current stats value, also give the last value. This makes it easy to display the difference.
11 years ago
void OutputRegisterStatsModule(const char *name, const char *conf_name,
OutputCtx *(*InitFunc)(ConfNode *), StatsLogger StatsLogFunc);
void OutputRegisterStatsSubModule(const char *parent_name, const char *name,
const char *conf_name, OutputCtx *(*InitFunc)(ConfNode *, OutputCtx *),
StatsLogger StatsLogFunc);
log api: convert all names to const Instead of strdupping all names w/o a need, use const ptrs.
12 years ago
OutputModule *OutputGetModuleByConfName(const char *name);
Have output modules register themselves so run mode configurator becomes aware of them for purposes of being configured from the config file.
16 years ago
void OutputDeregisterAll(void);
output: check for multiple instances of drop and tls Both the drop and tls logs are currently not designed to have multiple instances running. So until that is changed, error out if more than one instance is started.
12 years ago
int OutputDropLoggerEnable(void);
output: add Disable funcs to mirror Enable For the loggers that we allow only one instance for: tls, ssh, drop, we track active loggers through Output*Enable functions. Add Disable functions to mirror this. They are to be called from the shutdown funcs those loggers use.
11 years ago
void OutputDropLoggerDisable(void);
ssh: add json logger Sub module of eve-log, but can also run separately as ssh-json-log. Only one at a time though.
12 years ago
int OutputSshLoggerEnable(void);
output: add Disable funcs to mirror Enable For the loggers that we allow only one instance for: tls, ssh, drop, we track active loggers through Output*Enable functions. Add Disable functions to mirror this. They are to be called from the shutdown funcs those loggers use.
11 years ago
void OutputSshLoggerDisable(void);
output: check for multiple instances of drop and tls Both the drop and tls logs are currently not designed to have multiple instances running. So until that is changed, error out if more than one instance is started.
12 years ago
Registration for SIGHUP notification - for loggers interested in file rotation on SIGHUP.
12 years ago
void OutputRegisterFileRotationFlag(int *flag);
Unregister for file rotation notification when a context is de-initialized. Required for unix-socket mode where contexts come and go.
11 years ago
void OutputUnregisterFileRotationFlag(int *flag);
Registration for SIGHUP notification - for loggers interested in file rotation on SIGHUP.
12 years ago
void OutputNotifyFileRotation(void);
Have output modules register themselves so run mode configurator becomes aware of them for purposes of being configured from the config file.
16 years ago
#endif /* ! __OUTPUT_H__ */