eve: metadata setting to enable/disable metadata

This is a top level metadata object containing flowbits, flowints, pktvars and flowvars. Enabling it at the top level enables it for all log types.
8 years ago · dd988d9934
parent 5138f99c58
commit dd988d9934
3 changed files with 16 additions and 4 deletions
--- a/src/output-json.c
+++ b/src/output-json.c
@ -371,7 +371,7 @@ void JsonAddVars(const Packet *p, const Flow *f, json_t *js)
 /**
 * \brief Add top-level metadata to the eve json object.
 */
-static void JsonAddMetadata(const Packet *p, const Flow *f, json_t *js)
+void JsonAddMetadata(const Packet *p, const Flow *f, json_t *js)
 {
    if ((p && p->pktvar) || (f && f->flowvar)) {
        json_t *js_vars = json_object();
@ -579,9 +579,6 @@ json_t *CreateJSONHeader(const Packet *p, int direction_sensitive,
    /* 5-tuple */
    JsonFiveTuple(p, direction_sensitive, js);

-    /* Metadata. */
-    JsonAddMetadata(p, f, js);
-
    /* icmp */
    switch (p->proto) {
        case IPPROTO_ICMP:
@ -833,6 +830,15 @@ OutputInitResult OutputJsonInitCtx(ConfNode *conf)
            }
        }

+        /* Check if top-level metadata should be logged. */
+        const ConfNode *metadata = ConfNodeLookupChild(conf, "metadata");
+        if (metadata && metadata->val && ConfValIsFalse(metadata->val)) {
+            SCLogConfig("Disabling eve metadata logging.");
+            json_ctx->include_metadata = false;
+        } else {
+            json_ctx->include_metadata = true;
+        }
+
        json_ctx->file_ctx->type = json_ctx->json_out;
    }

--- a/src/output-json.h
+++ b/src/output-json.h
@ -41,6 +41,7 @@ typedef struct OutputJSONMemBufferWrapper_ {
 int OutputJSONMemBufferCallback(const char *str, size_t size, void *data);

 void JsonAddVars(const Packet *p, const Flow *f, json_t *js);
+void JsonAddMetadata(const Packet *p, const Flow *f, json_t *js);
 void CreateJSONFlowId(json_t *js, const Flow *f);
 void JsonTcpFlags(uint8_t flags, json_t *js);
 void JsonFiveTuple(const Packet *, int, json_t *);
@ -55,6 +56,7 @@ OutputInitResult OutputJsonInitCtx(ConfNode *);
 typedef struct OutputJsonCtx_ {
    LogFileCtx *file_ctx;
    enum LogFileType json_out;
+    bool include_metadata;
 } OutputJsonCtx;

 json_t *SCJsonBool(int val);
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@ -163,6 +163,10 @@ outputs:
      #  pipelining:
      #    enabled: yes ## set enable to yes to enable query pipelining
      #    batch-size: 10 ## number of entry to keep in buffer
+
+      # Include top level metadata. Default yes.
+      #metadata: no
+
      types:
        - alert:
            # payload: yes             # enable dumping payload in Base64