output-json: add sensor-name config variable

When using redis output, we are loosing the host key (added by
logstash or logstash-forwarder) and we can't find anymore what
Suricata did cause the alert.

This patch is adding this key during message generation using the
'sensor-name' variable or the hostname is 'sensor-name' is not
defined.

diff --git a/src/output-json.c b/src/output-json.c
index aa803d12fb5d086711de63bb0af4574872652776..d45bbb12337b8e728de01c98e20ffaffaad0edd4 100644 (file)
--- a/src/output-json.c
+++ b/src/output-json.c
@@ -341,8 +341,17 @@ json_t *CreateJSONHeaderWithTxId(Packet *p, int direction_sensitive, char *event
 
 int OutputJSONBuffer(json_t *js, LogFileCtx *file_ctx, MemBuffer *buffer)
 {
-    char *js_s = json_dumps(js,
-                            JSON_PRESERVE_ORDER|JSON_COMPACT|JSON_ENSURE_ASCII|
+    char *js_s = NULL;
+
+#ifdef HAVE_LIBHIREDIS
+    if (file_ctx->type == LOGFILE_TYPE_REDIS) {
+        json_object_set_new(js, "host",
+                            json_string(file_ctx->redis_setup.sensor_name));
+    }
+#endif
+
+    js_s = json_dumps(js,
+            JSON_PRESERVE_ORDER|JSON_COMPACT|JSON_ENSURE_ASCII|
 #ifdef JSON_ESCAPE_SLASH
                             JSON_ESCAPE_SLASH
 #else
@@ -582,11 +591,20 @@ OutputCtx *OutputJsonInitCtx(ConfNode *conf)
 #ifdef HAVE_LIBHIREDIS
         else if (json_ctx->json_out == LOGFILE_TYPE_REDIS) {
             ConfNode *redis_node = ConfNodeLookupChild(conf, "redis");
+            const char *sensor_name = ConfNodeLookupChildValue(conf, "sensor-name");
             const char *redis_server = NULL;
             const char *redis_port = NULL;
             const char *redis_mode = NULL;
             const char *redis_key = NULL;
 
+            if (!sensor_name) {
+                char hostname[1024];
+                gethostname(hostname, 1023);
+                sensor_name = hostname;
+            }
+            json_ctx->file_ctx->redis_setup.sensor_name = SCStrdup(sensor_name);
+
+
             if (redis_node) {
                 redis_server = ConfNodeLookupChildValue(redis_node, "server");
                 redis_port =  ConfNodeLookupChildValue(redis_node, "port");

diff --git a/src/util-logopenfile.h b/src/util-logopenfile.h
index b5ac9823deac8091bb15996357630bc626f3c97d..775647a6b389ffdc1f8facbb3f7041cb45c89c25 100644 (file)
--- a/src/util-logopenfile.h
+++ b/src/util-logopenfile.h
@@ -27,7 +27,9 @@
 #include "conf.h"            /* ConfNode   */
 #include "tm-modules.h"      /* LogFileCtx */
 
+#ifdef HAVE_LIBHIREDIS
 #include "hiredis/hiredis.h"
+#endif
 
 typedef struct {
     uint16_t fileno;
@@ -39,13 +41,16 @@ enum LogFileType { LOGFILE_TYPE_FILE,
                    LOGFILE_TYPE_UNIX_STREAM,
                    LOGFILE_TYPE_REDIS };
 
+#ifdef HAVE_LIBHIREDIS
 enum RedisMode { REDIS_LIST, REDIS_CHANNEL };
 
 typedef struct RedisSetup_ {
     enum RedisMode mode;
     char *command;
     char *key;
+    char *sensor_name;
 } RedisSetup;
+#endif
 
 /** Global structure for Output Context */
 typedef struct LogFileCtx_ {

diff --git a/suricata.yaml.in b/suricata.yaml.in
index 30921751a92950ca0cccff3ab26e3f689783d1f4..43d5e17a4c5542afbdf36a79ec6cfc18f7bb334b 100644 (file)
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -44,6 +44,10 @@ host-mode: auto
 #  user: suri
 #  group: suri
 
+# Some logging module will use that name in event as identifier. The default
+# value is the hostname
+#sensor-name: suricata
+
 # Default pid file.
 # Will use this file if no --pidfile in command options.
 #pid-file: /var/run/suricata.pid