aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix eve 'filetype' parsing

Browse Source 
Now that we use 'filetype' instead of 'type', we should also
use 'regular' instead of 'file'.

Added fallback to make sure we stay compatible to old configs.
pull/1020/merge
Victor Julien 11 years ago
parent bfb6175bf6
commit fdd407751e
3 changed files with 6 additions and 4 deletions
Show Stats Download Patch File Download Diff File

3
src/output-json.c
Unescape Escape View File

@ -394,7 +394,8 @@ OutputCtx *OutputJsonInitCtx(ConfNode *conf)
} }
if (output_s != NULL) { if (output_s != NULL) {
if (strcmp(output_s, "file") == 0) { if (strcmp(output_s, "file") == 0 ||
strcmp(output_s, "regular") == 0) {
json_ctx->json_out = ALERT_FILE; json_ctx->json_out = ALERT_FILE;
} else if (strcmp(output_s, "syslog") == 0) { } else if (strcmp(output_s, "syslog") == 0) {
json_ctx->json_out = ALERT_SYSLOG; json_ctx->json_out = ALERT_SYSLOG;

5
src/util-logopenfile.c
Unescape Escape View File

@ -199,7 +199,8 @@ SCConfLogOpenGeneric(ConfNode *conf,
log_ctx->fp = SCLogOpenUnixSocketFp(log_path, SOCK_DGRAM); log_ctx->fp = SCLogOpenUnixSocketFp(log_path, SOCK_DGRAM);
if (log_ctx->fp == NULL) if (log_ctx->fp == NULL)
return -1; // Error already logged by Open...Fp routine return -1; // Error already logged by Open...Fp routine
} else if (strcasecmp(filetype, DEFAULT_LOG_FILETYPE) == 0) { } else if (strcasecmp(filetype, DEFAULT_LOG_FILETYPE) == 0 ||
strcasecmp(filetype, "file") == 0) {
log_ctx->fp = SCLogOpenFileFp(log_path, append); log_ctx->fp = SCLogOpenFileFp(log_path, append);
if (log_ctx->fp == NULL) if (log_ctx->fp == NULL)
return -1; // Error already logged by Open...Fp routine return -1; // Error already logged by Open...Fp routine
@ -216,7 +217,7 @@ SCConfLogOpenGeneric(ConfNode *conf,
return -1; // Error already logged by Open...Fp routine return -1; // Error already logged by Open...Fp routine
} else { } else {
SCLogError(SC_ERR_INVALID_YAML_CONF_ENTRY, "Invalid entry for " SCLogError(SC_ERR_INVALID_YAML_CONF_ENTRY, "Invalid entry for "
"%s.type. Expected \"regular\" (default), \"unix_stream\", " "%s.filetype. Expected \"regular\" (default), \"unix_stream\", "
"\"pcie\" " "\"pcie\" "
"or \"unix_dgram\"", "or \"unix_dgram\"",
conf->name); conf->name);

2
suricata.yaml.in
Unescape Escape View File

@ -85,7 +85,7 @@ outputs:
# Extensible Event Format (nicknamed EVE) event log in JSON format # Extensible Event Format (nicknamed EVE) event log in JSON format
- eve-log: - eve-log:
enabled: yes enabled: yes
filetype: file #file|syslog|unix_dgram|unix_stream filetype: regular #regular|syslog|unix_dgram|unix_stream
filename: eve.json filename: eve.json
# the following are valid when type: syslog above # the following are valid when type: syslog above
#identity: "suricata" #identity: "suricata"

Write Preview
Loading…
Cancel
Save