doc/eve: add community id

diff --git a/doc/userguide/output/eve/eve-json-output.rst b/doc/userguide/output/eve/eve-json-output.rst
index 7f823ca673c4843aa7cc5d562733154564297fc8..d990b1e79d22017074b37d674cf511e9c209f998 100644 (file)
--- a/doc/userguide/output/eve/eve-json-output.rst
+++ b/doc/userguide/output/eve/eve-json-output.rst
@@ -3,14 +3,16 @@
 Eve JSON Output
 ===============
 
-Suricata can output alerts, http events, dns events, tls events and file info through json.
+The EVE output facility outputs alerts, metadata, file info and protocol
+specific records through JSON.
 
-The most common way to use this is through 'EVE', which is a firehose approach where all these logs go into a single file.
+The most common way to use this is through 'EVE', which is a firehose approach
+where all these logs go into a single file.
 
 .. literalinclude:: ../../partials/eve-log.yaml
 
 Each alert, http log, etc will go into this one file: 'eve.json'. This file
-can then be processed by 3rd party tools like Logstash or jq.
+can then be processed by 3rd party tools like Logstash (ELK) or jq.
 
 Output types
 ~~~~~~~~~~~~
@@ -265,3 +267,71 @@ Several flags can be specified to control the JSON output in EVE:
           escape-slash: yes
 
 All these flags are enabled by default, and can be modified per EVE instance.
+
+Community Flow ID
+~~~~~~~~~~~~~~~~~
+
+Often Suricata is used in combination with other tools like Bro/Zeek. Enabling
+the community-id option in the eve-log section adds a new ``community_id``
+field to each output.
+
+Example::
+
+    {
+      "timestamp": "2003-12-16T13:21:44.891921+0000",
+      "flow_id": 1332028388187153,
+      "pcap_cnt": 1,
+      "event_type": "alert",
+      ...
+      "community_id": "1:LQU9qZlK+B5F3KDmev6m5PMibrg=",
+      "alert": {
+        "action": "allowed",
+        "gid": 1,
+        "signature_id": 1,
+      },
+    }
+    {
+      "timestamp": "2003-12-16T13:21:45.037333+0000",
+      "flow_id": 1332028388187153,
+      "event_type": "flow",
+      "flow": {
+        "pkts_toserver": 5,
+        "pkts_toclient": 4,
+        "bytes_toserver": 338,
+        "bytes_toclient": 272,
+        "start": "2003-12-16T13:21:44.891921+0000",
+        "end": "2003-12-16T13:21:45.346457+0000",
+        "age": 1,
+        "state": "closed",
+        "reason": "shutdown",
+        "alerted": true
+      },
+      "community_id": "1:LQU9qZlK+B5F3KDmev6m5PMibrg=",
+    }
+
+Options
+"""""""
+
+The output can be enabled per instance of the EVE logger.
+
+The ``community-id`` option is boolean. If set to ``true`` it is enabled.
+The ``community-id-seed`` option specifies a unsigned 16 bit value that
+is used a seed to the hash that is calculated for the ``community-id``
+output. This must be set to the same value on all tools that output this
+record.
+
+YAML::
+
+  - eve-log:
+      # Community Flow ID
+      # Adds a 'community_id' field to EVE records. These are meant to give
+      # a records a predictable flow id that can be used to match records to
+      # output of other tools such as Bro.
+      #
+      # Takes a 'seed' that needs to be same across sensors and tools
+      # to make the id less predictable.
+
+      # enable/disable the community id feature.
+      community-id: false
+      # Seed value for the ID output. Valid values are 0-65535.
+      community-id-seed: 0