Some stats can be quite verbose if logging all zero valued-counters.
This allows users to disable logging such counters. Default is still
true, as that's the expected behavior for the engine.
Task #5976
# (will show more information in case of a drop caused by 'reject')
verdict: yes
+.. _eve-json-output-stats:
+
+Stats
+~~~~~
+
+Zero-valued Counters
+""""""""""""""""""""
+
+While the human-friendly `stats.log` output will only log out non-zeroed
+counters, by default EVE Stats logs output all enabled counters, which may lead
+to fairly verbose logs.
+
+To reduce log file size, one may set `zero-valued-counters` to false. Do note
+that this may impact on the visibility of information for which a stats counter
+as zero is relevant.
+
+Config::
+
+ - stats:
+ # Don't log stats counters that are zero. Default: true
+ #zero-valued-counters: false # False will NOT log stats counters: 0
Date modifiers in filename
~~~~~~~~~~~~~~~~~~~~~~~~~~
totals: yes # stats for all threads merged together
threads: no # per thread stats
deltas: no # include delta values
+ # Don't log stats counters that are zero. Default: true
+ #zero-valued-counters: false # False will NOT log stats counters: 0
- dhcp:
# DHCP logging.
enabled: yes
- ``SIP_PORTS`` variable has been introduced in suricata.yaml
- Application layer's ``sip`` counter has been split into ``sip_tcp`` and ``sip_udp``
for the ``stats`` event.
+- Stats counters that are 0 can now be hidden from EVE logs. Default behavior
+ still logs those (see :ref:`EVE Output - Stats <eve-json-output-stats>` for configuration setting).
Upgrading 6.0 to 7.0
--------------------
for (u = 0; u < st->nstats; u++) {
if (st->stats[u].name == NULL)
continue;
+ if (flags & JSON_STATS_NO_ZEROES && st->stats[u].value == 0) {
+ continue;
+ }
+
json_t *js_type = NULL;
const char *stat_name = st->stats[u].short_name;
/*
for (u = offset; u < (offset + st->nstats); u++) {
if (st->tstats[u].name == NULL)
continue;
+ if (flags & JSON_STATS_NO_ZEROES && st->tstats[u].value == 0) {
+ continue;
+ }
DEBUG_VALIDATE_BUG_ON(st->tstats[u].tm_name == NULL);
const char *totals = ConfNodeLookupChildValue(conf, "totals");
const char *threads = ConfNodeLookupChildValue(conf, "threads");
const char *deltas = ConfNodeLookupChildValue(conf, "deltas");
+ const char *zero_counters = ConfNodeLookupChildValue(conf, "zero-valued-counters");
SCLogDebug("totals %s threads %s deltas %s", totals, threads, deltas);
if ((totals != NULL && ConfValIsFalse(totals)) &&
if (deltas != NULL && ConfValIsTrue(deltas)) {
stats_ctx->flags |= JSON_STATS_DELTAS;
}
+ if (zero_counters != NULL && ConfValIsFalse(zero_counters)) {
+ stats_ctx->flags |= JSON_STATS_NO_ZEROES;
+ }
SCLogDebug("stats_ctx->flags %08x", stats_ctx->flags);
}
-/* Copyright (C) 2014 Open Information Security Foundation
+/* Copyright (C) 2014-2024 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
#include "output-stats.h"
-#define JSON_STATS_TOTALS (1<<0)
-#define JSON_STATS_THREADS (1<<1)
-#define JSON_STATS_DELTAS (1<<2)
+#define JSON_STATS_TOTALS (1 << 0)
+#define JSON_STATS_THREADS (1 << 1)
+#define JSON_STATS_DELTAS (1 << 2)
+#define JSON_STATS_NO_ZEROES (1 << 3)
json_t *StatsToJSON(const StatsTable *st, uint8_t flags);
TmEcode OutputEngineStatsReloadTime(json_t **jdata);
totals: yes # stats for all threads merged together
threads: no # per thread stats
deltas: no # include delta values
+ # Don't log stats counters that are zero. Default: true
+ #zero-valued-counters: false # False will NOT log stats counters: 0
+ # Exception policy stats counters options
# bi-directional flows
- flow
# uni-directional flows
projects / thirdparty / suricata.git / commitdiff
