Fix eve 'filetype' parsing

Now that we use 'filetype' instead of 'type', we should also use 'regular' instead of 'file'. Added fallback to make sure we stay compatible to old configs.
11 years ago · fdd407751e
parent bfb6175bf6
commit fdd407751e
3 changed files with 6 additions and 4 deletions
--- a/src/output-json.c
+++ b/src/output-json.c
@ -394,7 +394,8 @@ OutputCtx *OutputJsonInitCtx(ConfNode *conf)
        }

        if (output_s != NULL) {
-            if (strcmp(output_s, "file") == 0) {
+            if (strcmp(output_s, "file") == 0 ||
+                strcmp(output_s, "regular") == 0) {
                json_ctx->json_out = ALERT_FILE;
            } else if (strcmp(output_s, "syslog") == 0) {
                json_ctx->json_out = ALERT_SYSLOG;
--- a/src/util-logopenfile.c
+++ b/src/util-logopenfile.c
@ -199,7 +199,8 @@ SCConfLogOpenGeneric(ConfNode *conf,
        log_ctx->fp = SCLogOpenUnixSocketFp(log_path, SOCK_DGRAM);
        if (log_ctx->fp == NULL)
            return -1; // Error already logged by Open...Fp routine
-    } else if (strcasecmp(filetype, DEFAULT_LOG_FILETYPE) == 0) {
+    } else if (strcasecmp(filetype, DEFAULT_LOG_FILETYPE) == 0 ||
+               strcasecmp(filetype, "file") == 0) {
        log_ctx->fp = SCLogOpenFileFp(log_path, append);
        if (log_ctx->fp == NULL)
            return -1; // Error already logged by Open...Fp routine
@ -216,7 +217,7 @@ SCConfLogOpenGeneric(ConfNode *conf,
            return -1; // Error already logged by Open...Fp routine
    } else {
        SCLogError(SC_ERR_INVALID_YAML_CONF_ENTRY, "Invalid entry for "
-                   "%s.type.  Expected \"regular\" (default), \"unix_stream\", "
+                   "%s.filetype.  Expected \"regular\" (default), \"unix_stream\", "
                   "\"pcie\" "
                   "or \"unix_dgram\"",
                   conf->name);
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@ -85,7 +85,7 @@ outputs:
  # Extensible Event Format (nicknamed EVE) event log in JSON format
  - eve-log:
      enabled: yes
-      filetype: file #file|syslog|unix_dgram|unix_stream
+      filetype: regular #regular|syslog|unix_dgram|unix_stream
      filename: eve.json
      # the following are valid when type: syslog above
      #identity: "suricata"