suricata

Commit Graph

Author	SHA1	Message	Date
Victor Julien	5d96ea570f	eve-file: set event_type to fileinfo To remain constistent with the other logs, set the event type to the same name as the structure containing the defails. In this case fileinfo. Part of bug #1127.	12 years ago
Victor Julien	305da0248d	eve-files: file -> fileinfo Due to what appears to be an issue in logstash, the 'file' part of the file event types was masked by a field that logstash-forwarder added itself. Since logstash-forwarder is an important part of the logstash stack, this patch works around the issue by renaming our 'file' structure to 'fileinfo', thus resolving the naming conflict. Bug #1127	12 years ago
Victor Julien	a3b0577a1f	output: add TM_FLAG_LOGAPI_TM thread module flag The TM_FLAG_LOGAPI_TM flag indicates that a module is run by the log api, not by the 'regular' thread module call functions. Set flag in all all Log API users' registration code. Purpose of this flag is in profiling. In profiling output it will be used to list log api thread modules separately.	12 years ago
Victor Julien	74fb60c010	Replace remaining SCStrndup calls Replace them with BytesToString().	12 years ago
Victor Julien	2b60871bf1	json loggers: dup bstr with bstr_util_strdup_to_c In various places SCStrndup was used to 'dup' a bstr string, however libhtp provides bstr_util_strdup_to_c for this. As this is a cleaner interface, it's preferred.	12 years ago
Eric Leblond	0189b4d1eb	json file: separate http params This patch separates http keys from file to have a different value list: { "time":"01\/31\/2014-12:04:52.837245","event_type":"file","src_ip":"5.3.1.1","src_port":80,"dest_ip":"1.8.1.9","dest_port":9539,"proto":"TCP", "http":{"url":"/foo/","hostname":"bar.com","http_refer":"http:\/\/bar.org","http_user_agent":"Mozilla\/5.0"}, "file":{"filename":"bar","magic":"unknown","state":"CLOSED","stored":false,"size":21} } One interest of this modification is that it is possible to use the same key as the one used in http events. Thus correlating both type of events is trivial. On code side, this will permit to factorize the code by simply asking the underlying protocol to output its info in a json object. Second interest is that adding file extraction for a new protocol will result in only changing the protocol specific json list.	12 years ago
Eric Leblond	6fd9b4b255	json: add event_type key This patch adds an event_type key to the generated events. Current value is one of "dns", "alert, "file", "tls", "http", "drop". It is then easy to differentiate in log analysis tools the events based on source inside Suricata.	12 years ago
Victor Julien	3fc63d3656	jansson file log: make file log module Turn the libjansson based file logger into a file module, as a child of eve-log.	12 years ago
Tom DeCanio	18458a14fb	json: rebase fixes - restore json output-file.[ch] as output-json-file.[ch] after rebase conflict - fix Makefile.am after merge conflict - some dev-log-api-v4.0 rebase json fallout cleanup	12 years ago

9 Commits (7ee3b456a3fa52ae0ec194f4fea2e3e40348979a)