From 969abc2ccd0b85924dd5c3aea55fd441a7cd9588 Mon Sep 17 00:00:00 2001 From: Eric Leblond Date: Tue, 16 Dec 2014 00:14:59 +0100 Subject: [PATCH] output-json: fix duplicate logging This patches is fixing a issue in the OutputJSONBuffer function. It was writing to file the content of the buffer starting from the start to the final offset. But as the writing is done for each JSON string we are duplicating the previous events if we are reusing the same buffer. Duplication was for example triggered when we have multiple alerts attached to a packet. In the case of two alerts, the first one was logged twice more as the second one. --- src/output-json-alert.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/output-json-alert.c b/src/output-json-alert.c index ed6b3b4373..cd1168aa2d 100644 --- a/src/output-json-alert.c +++ b/src/output-json-alert.c @@ -134,8 +134,6 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p) if (p->alerts.cnt == 0) return TM_ECODE_OK; - MemBufferReset(aft->json_buffer); - json_t *js = CreateJSONHeader((Packet *)p, 0, "alert"); if (unlikely(js == NULL)) return TM_ECODE_OK; @@ -159,6 +157,8 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p) return TM_ECODE_OK; } + MemBufferReset(aft->json_buffer); + json_object_set_new(ajs, "action", json_string(action)); json_object_set_new(ajs, "gid", json_integer(pa->s->gid)); json_object_set_new(ajs, "signature_id", json_integer(pa->s->id)); @@ -303,11 +303,11 @@ static int AlertJsonDecoderEvent(ThreadVars *tv, JsonAlertLogThread *aft, const if (p->alerts.cnt == 0) return TM_ECODE_OK; - MemBufferReset(buffer); - CreateIsoTimeString(&p->ts, timebuf, sizeof(timebuf)); for (i = 0; i < p->alerts.cnt; i++) { + MemBufferReset(buffer); + const PacketAlert *pa = &p->alerts.alerts[i]; if (unlikely(pa->s == NULL)) { continue;