From 706a0bd99bd43b9f7d75e7e00efbbbd865fa5399 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Thu, 3 Apr 2025 15:34:18 +0200 Subject: [PATCH] output: option to add suricata version in eve logs Ticket: 4853 --- doc/userguide/output/eve/eve-json-output.rst | 4 ++++ etc/schema.json | 3 +++ src/output-json.c | 11 +++++++++++ src/output-json.h | 1 + suricata.yaml.in | 2 ++ 5 files changed, 21 insertions(+) diff --git a/doc/userguide/output/eve/eve-json-output.rst b/doc/userguide/output/eve/eve-json-output.rst index 7ebda748d0..6b96b56b46 100644 --- a/doc/userguide/output/eve/eve-json-output.rst +++ b/doc/userguide/output/eve/eve-json-output.rst @@ -19,6 +19,9 @@ if available. If the ``pkt_src`` value is ``stream (flow timeout)``, then the ``ethernet`` value will be populated with mac addresses from the flow's first packet with ethernet header. +If ``suricata-version`` is set to yes, then Suricata version, with its git +revision if available, will be added to events as ``suricata_version``. + Output Buffering ~~~~~~~~~~~~~~~~ @@ -69,6 +72,7 @@ Output types:: #level: Info ## possible levels: Emergency, Alert, Critical, ## Error, Warning, Notice, Info, Debug #ethernet: no # log ethernet header in events when available + #suricata-version: no # include suricata version. Default no. #redis: # server: 127.0.0.1 # port: 6379 diff --git a/etc/schema.json b/etc/schema.json index 6d21b74204..ef554f917e 100644 --- a/etc/schema.json +++ b/etc/schema.json @@ -99,6 +99,9 @@ "src_port": { "type": "integer" }, + "suricata_version": { + "type": "string" + }, "stream": { "type": "integer" }, diff --git a/src/output-json.c b/src/output-json.c index 4f8b3cad34..b1f327580a 100644 --- a/src/output-json.c +++ b/src/output-json.c @@ -398,6 +398,9 @@ void EveAddMetadata(const Packet *p, const Flow *f, SCJsonBuilder *js) void EveAddCommonOptions(const OutputJsonCommonSettings *cfg, const Packet *p, const Flow *f, SCJsonBuilder *js, enum SCOutputJsonLogDirection dir) { + if (cfg->include_suricata_version) { + SCJbSetString(js, "suricata_version", PROG_VER); + } if (cfg->include_metadata) { EveAddMetadata(p, f, js); } @@ -1226,6 +1229,14 @@ OutputInitResult OutputJsonInitCtx(SCConfNode *conf) json_ctx->cfg.include_ethernet = false; } + const SCConfNode *suriver = SCConfNodeLookupChild(conf, "suricata-version"); + if (suriver && suriver->val && SCConfValIsTrue(suriver->val)) { + SCLogConfig("Enabling Suricata version logging."); + json_ctx->cfg.include_suricata_version = true; + } else { + json_ctx->cfg.include_suricata_version = false; + } + /* See if we want to enable the community id */ const SCConfNode *community_id = SCConfNodeLookupChild(conf, "community-id"); if (community_id && community_id->val && SCConfValIsTrue(community_id->val)) { diff --git a/src/output-json.h b/src/output-json.h index a126391f28..1f4fec70d0 100644 --- a/src/output-json.h +++ b/src/output-json.h @@ -65,6 +65,7 @@ typedef struct OutputJsonCommonSettings_ { bool include_metadata; bool include_community_id; bool include_ethernet; + bool include_suricata_version; uint16_t community_id_seed; } OutputJsonCommonSettings; diff --git a/suricata.yaml.in b/suricata.yaml.in index 66c9ef5fdc..de07871fe4 100644 --- a/suricata.yaml.in +++ b/suricata.yaml.in @@ -139,6 +139,8 @@ outputs: # Include top level metadata. Default yes. #metadata: no + # Include suricata version. Default no. + #suricata-version: yes # include the name of the input pcap file in pcap file processing mode pcap-file: false