From de4e2221d8e9dc43f07c867caaad5e42f16a96b7 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Sat, 12 Jul 2014 09:25:21 +0200 Subject: [PATCH] eve: add tx_id to output for alerts and events Add tx_id field for correlating alerts and events per tx. --- src/output-json-alert.c | 3 +++ src/output-json-dns.c | 13 +++++++++---- src/output-json-file.c | 1 + src/output-json-http.c | 7 +++++-- 4 files changed, 18 insertions(+), 6 deletions(-) diff --git a/src/output-json-alert.c b/src/output-json-alert.c index 353d66f268..58bdad36a7 100644 --- a/src/output-json-alert.c +++ b/src/output-json-alert.c @@ -135,6 +135,9 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p) json_string((pa->s->class_msg) ? pa->s->class_msg : "")); json_object_set_new(ajs, "severity", json_integer(pa->s->prio)); + if (pa->flags & PACKET_ALERT_FLAG_TX) + json_object_set_new(ajs, "tx_id", json_integer(pa->tx_id)); + /* alert */ json_object_set_new(js, "alert", ajs); diff --git a/src/output-json-dns.c b/src/output-json-dns.c index 066ce8901c..71d8adb820 100644 --- a/src/output-json-dns.c +++ b/src/output-json-dns.c @@ -70,7 +70,9 @@ typedef struct LogDnsLogThread_ { MemBuffer *buffer; } LogDnsLogThread; -static void LogQuery(LogDnsLogThread *aft, json_t *js, DNSTransaction *tx, DNSQueryEntry *entry) { +static void LogQuery(LogDnsLogThread *aft, json_t *js, DNSTransaction *tx, + uint64_t tx_id, DNSQueryEntry *entry) +{ MemBuffer *buffer = (MemBuffer *)aft->buffer; SCLogDebug("got a DNS request and now logging !!"); @@ -102,6 +104,9 @@ static void LogQuery(LogDnsLogThread *aft, json_t *js, DNSTransaction *tx, DNSQu DNSCreateTypeString(entry->type, record, sizeof(record)); json_object_set_new(djs, "rrtype", json_string(record)); + /* tx id (tx counter) */ + json_object_set_new(djs, "tx_id", json_integer(tx_id)); + /* dns */ json_object_set_new(js, "dns", djs); OutputJSONBuffer(js, aft->dnslog_ctx->file_ctx, buffer); @@ -174,7 +179,7 @@ static void OutputAnswer(LogDnsLogThread *aft, json_t *djs, DNSTransaction *tx, return; } -static void LogAnswers(LogDnsLogThread *aft, json_t *js, DNSTransaction *tx) { +static void LogAnswers(LogDnsLogThread *aft, json_t *js, DNSTransaction *tx, uint64_t tx_id) { SCLogDebug("got a DNS response and now logging !!"); @@ -208,7 +213,7 @@ static int JsonDnsLogger(ThreadVars *tv, void *thread_data, const Packet *p, Flo if (unlikely(js == NULL)) return TM_ECODE_OK; - LogQuery(td, js, tx, query); + LogQuery(td, js, tx, tx_id, query); json_decref(js); } @@ -217,7 +222,7 @@ static int JsonDnsLogger(ThreadVars *tv, void *thread_data, const Packet *p, Flo if (unlikely(js == NULL)) return TM_ECODE_OK; - LogAnswers(td, js, tx); + LogAnswers(td, js, tx, tx_id); json_decref(js); diff --git a/src/output-json-file.c b/src/output-json-file.c index 9aa417122d..e56ef579d5 100644 --- a/src/output-json-file.c +++ b/src/output-json-file.c @@ -232,6 +232,7 @@ static void FileWriteJsonRecord(JsonFileLogThread *aft, const Packet *p, const F json_object_set_new(fjs, "stored", (ff->flags & FILE_STORED) ? json_true() : json_false()); json_object_set_new(fjs, "size", json_integer(ff->size)); + json_object_set_new(fjs, "tx_id", json_integer(ff->txid)); /* originally just 'file', but due to bug 1127 naming it fileinfo */ json_object_set_new(js, "fileinfo", fjs); diff --git a/src/output-json-http.c b/src/output-json-http.c index 9ed0df1f00..827cff89d7 100644 --- a/src/output-json-http.c +++ b/src/output-json-http.c @@ -180,7 +180,7 @@ struct { /* JSON format logging */ -static void JsonHttpLogJSON(JsonHttpLogThread *aft, json_t *js, htp_tx_t *tx) +static void JsonHttpLogJSON(JsonHttpLogThread *aft, json_t *js, htp_tx_t *tx, uint64_t tx_id) { LogHttpFileCtx *http_ctx = aft->httplog_ctx; json_t *hjs = json_object(); @@ -348,6 +348,9 @@ static void JsonHttpLogJSON(JsonHttpLogThread *aft, json_t *js, htp_tx_t *tx) json_object_set_new(hjs, "length", json_integer(tx->response_message_len)); } + /* tx id for correlation with alerts */ + json_object_set_new(hjs, "tx_id", json_integer(tx_id)); + json_object_set_new(js, "http", hjs); } @@ -368,7 +371,7 @@ static int JsonHttpLogger(ThreadVars *tv, void *thread_data, const Packet *p, Fl /* reset */ MemBufferReset(buffer); - JsonHttpLogJSON(jhl, js, tx); + JsonHttpLogJSON(jhl, js, tx, tx_id); OutputJSONBuffer(js, jhl->httplog_ctx->file_ctx, buffer); json_object_del(js, "http");