eve.stats: make decoder event prefix configurable

diff --git a/src/counters.c b/src/counters.c
index b1595884da723a11d89fe456f2714a50df77bbab..402960b195de9f7eeef21474a867f67729db1869 100644 (file)
--- a/src/counters.c
+++ b/src/counters.c
@@ -100,6 +100,7 @@ static char stats_enabled = TRUE;
 
 /**< add decoder events as stats? enabled by default */
 bool stats_decoder_events = true;
+const char *stats_decoder_events_prefix = "decoder";
 /**< add stream events as stats? disabled by default */
 bool stats_stream_events = false;
 
@@ -252,6 +253,17 @@ static void StatsInitCtx(void)
         if (ret) {
             stats_stream_events = (b == 1);
         }
+
+        const char *prefix = NULL;
+        if (ConfGet("stats.decoder-events-prefix", &prefix) != 1) {
+            prefix = "decoder";
+            SCLogWarning(SC_WARN_DEFAULT_WILL_CHANGE, "in 5.0 the default "
+                    "for decoder event stats will go from "
+                    "'decoder.<proto>.<event>' to 'decoder.event.<proto>.<event>'. "
+                    "See ticket #2225. To suppress this message, "
+                    "set stats.decoder-events-prefix in the yaml.");
+        }
+        stats_decoder_events_prefix = prefix;
     }
 
     if (!OutputStatsLoggersRegistered()) {

diff --git a/src/decode.c b/src/decode.c
index 8589086e7d142c455380f6051c2fb6546b5db5f6..3a109b378f58f09826137cb69c6e589532791cef 100644 (file)
--- a/src/decode.c
+++ b/src/decode.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2007-2014 Open Information Security Foundation
+/* Copyright (C) 2007-2019 Open Information Security Foundation
  *
  * You can copy, redistribute or modify this Program under the terms of
  * the GNU General Public License version 2 as published by the Free
@@ -68,6 +68,7 @@
 #include "output-flow.h"
 
 extern bool stats_decoder_events;
+const char *stats_decoder_events_prefix;
 extern bool stats_stream_events;
 
 int DecodeTunnel(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p,
@@ -501,7 +502,8 @@ void DecodeRegisterPerfCounters(DecodeThreadVars *dtv, ThreadVars *tv)
             char name[256];
             char *dot = index(DEvents[i].event_name, '.');
             BUG_ON(!dot);
-            snprintf(name, sizeof(name), "decoder.events.%s", dot+1);
+            snprintf(name, sizeof(name), "%s.%s",
+                    stats_decoder_events_prefix, dot+1);
 
             const char *found = HashTableLookup(g_counter_table, name, 0);
             if (!found) {

diff --git a/src/util-error.c b/src/util-error.c
index 6cd3bb44688de9796d640af5ccc9927c2519aff0..60b04ccc826f0ecaede4c57b61fa4032735d846f 100644 (file)
--- a/src/util-error.c
+++ b/src/util-error.c
@@ -357,6 +357,7 @@ const char * SCErrorToString(SCError err)
         CASE_CODE (SC_ERR_WINDIVERT_INVALID_FILTER);
         CASE_CODE (SC_ERR_WINDIVERT_TOOLONG_FILTER);
         CASE_CODE (SC_WARN_RUST_NOT_AVAILABLE);
+        CASE_CODE (SC_WARN_DEFAULT_WILL_CHANGE);
 
         CASE_CODE (SC_ERR_MAX);
     }

diff --git a/src/util-error.h b/src/util-error.h
index 6f0bad32572e162772b5b8e3d0a58813f371a9e8..015c5720b617df1903630f5e513e19833b767987 100644 (file)
--- a/src/util-error.h
+++ b/src/util-error.h
@@ -347,6 +347,7 @@ typedef enum {
     SC_ERR_WINDIVERT_INVALID_FILTER,
     SC_ERR_WINDIVERT_TOOLONG_FILTER,
     SC_WARN_RUST_NOT_AVAILABLE,
+    SC_WARN_DEFAULT_WILL_CHANGE,
 
     SC_ERR_MAX,
 } SCError;

diff --git a/suricata.yaml.in b/suricata.yaml.in
index 3a4f147edbefac3965986ecf420a63e2c37383c7..9f3b7885204b6e7159b4f9064bb8344f3a7ee015 100644 (file)
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -62,6 +62,9 @@ stats:
   interval: 8
   # Add decode events as stats.
   #decoder-events: true
+  # Decoder event prefix in stats. Has been 'decoder' before, but that leads
+  # to missing events in the eve.stats records. See issue #2225.
+  decoder-events-prefix: "decoder.event"
   # Add stream events as stats.
   #stream-events: false