output: option to add suricata version in eve logs

Ticket: 4853

diff --git a/doc/userguide/output/eve/eve-json-output.rst b/doc/userguide/output/eve/eve-json-output.rst
index 7ebda748d0ecb34d54fc83d4bcc6fa83a4f1efd8..6b96b56b46201c6af8e9fcfc7f69aca5967d41e9 100644 (file)
--- a/doc/userguide/output/eve/eve-json-output.rst
+++ b/doc/userguide/output/eve/eve-json-output.rst
@@ -19,6 +19,9 @@ if available. If the ``pkt_src`` value is ``stream (flow timeout)``, then the
 ``ethernet`` value will be populated with mac addresses from the flow's first
 packet with ethernet header.
 
+If ``suricata-version`` is set to yes, then Suricata version, with its git
+revision if available, will be added to events as ``suricata_version``.
+
 Output Buffering
 ~~~~~~~~~~~~~~~~
 
@@ -69,6 +72,7 @@ Output types::
       #level: Info ## possible levels: Emergency, Alert, Critical,
                    ## Error, Warning, Notice, Info, Debug
       #ethernet: no # log ethernet header in events when available
+      #suricata-version: no # include suricata version. Default no.
       #redis:
       #  server: 127.0.0.1
       #  port: 6379

diff --git a/etc/schema.json b/etc/schema.json
index 6d21b74204001cf2c1399bf72e1532c77def6b25..ef554f917edf0dcbe8d05a5afc4211c9a95a79c1 100644 (file)
--- a/etc/schema.json
+++ b/etc/schema.json
@@ -99,6 +99,9 @@
         "src_port": {
             "type": "integer"
         },
+        "suricata_version": {
+            "type": "string"
+        },
         "stream": {
             "type": "integer"
         },

diff --git a/src/output-json.c b/src/output-json.c
index 4f8b3cad3451ac1855e8a47dd990a0eda2b12336..b1f327580a06a7a64a7cccce10b2d9a5f7ab3d86 100644 (file)
--- a/src/output-json.c
+++ b/src/output-json.c
@@ -398,6 +398,9 @@ void EveAddMetadata(const Packet *p, const Flow *f, SCJsonBuilder *js)
 void EveAddCommonOptions(const OutputJsonCommonSettings *cfg, const Packet *p, const Flow *f,
         SCJsonBuilder *js, enum SCOutputJsonLogDirection dir)
 {
+    if (cfg->include_suricata_version) {
+        SCJbSetString(js, "suricata_version", PROG_VER);
+    }
     if (cfg->include_metadata) {
         EveAddMetadata(p, f, js);
     }
@@ -1226,6 +1229,14 @@ OutputInitResult OutputJsonInitCtx(SCConfNode *conf)
             json_ctx->cfg.include_ethernet = false;
         }
 
+        const SCConfNode *suriver = SCConfNodeLookupChild(conf, "suricata-version");
+        if (suriver && suriver->val && SCConfValIsTrue(suriver->val)) {
+            SCLogConfig("Enabling Suricata version logging.");
+            json_ctx->cfg.include_suricata_version = true;
+        } else {
+            json_ctx->cfg.include_suricata_version = false;
+        }
+
         /* See if we want to enable the community id */
         const SCConfNode *community_id = SCConfNodeLookupChild(conf, "community-id");
         if (community_id && community_id->val && SCConfValIsTrue(community_id->val)) {

diff --git a/src/output-json.h b/src/output-json.h
index a126391f28b6377f62754c7f6ad38ea66c603972..1f4fec70d041f3aaa5a23579d4ca860be23b8795 100644 (file)
--- a/src/output-json.h
+++ b/src/output-json.h
@@ -65,6 +65,7 @@ typedef struct OutputJsonCommonSettings_ {
     bool include_metadata;
     bool include_community_id;
     bool include_ethernet;
+    bool include_suricata_version;
     uint16_t community_id_seed;
 } OutputJsonCommonSettings;
 

diff --git a/suricata.yaml.in b/suricata.yaml.in
index 66c9ef5fdc9fe51115e745ac6296a98a806b276e..de07871fe42994cef3e5a8bb3cbc987685f876c0 100644 (file)
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -139,6 +139,8 @@ outputs:
 
       # Include top level metadata. Default yes.
       #metadata: no
+      # Include suricata version. Default no.
+      #suricata-version: yes
 
       # include the name of the input pcap file in pcap file processing mode
       pcap-file: false