doc: Document reference config setting

author Jeff Lucovsky <jeff.lucovsky@corelight.com>

Tue, 30 Apr 2024 17:11:50 +0000 (13:11 -0400)

committer Victor Julien <victor@inliniac.net>

Wed, 18 Sep 2024 08:31:03 +0000 (10:31 +0200)
author Jeff Lucovsky <jeff.lucovsky@corelight.com>
Tue, 30 Apr 2024 17:11:50 +0000 (13:11 -0400)
committer Victor Julien <victor@inliniac.net>
Wed, 18 Sep 2024 08:31:03 +0000 (10:31 +0200)
diff --git a/doc/userguide/output/eve/eve-json-output.rst b/doc/userguide/output/eve/eve-json-output.rst

index 4e0694cdb501abdf74e07c172114da1e355645e2..c9c1d63e021ebf4ba9d2f96457b55e53f8865f4b 100644 (file)
--- a/doc/userguide/output/eve/eve-json-output.rst
+++ b/doc/userguide/output/eve/eve-json-output.rst
@@ -89,6 +89,9 @@ Metadata::
                  # Log the raw rule text.
                  #raw: false
  
+                # Include the rule reference information
+                #reference: false
+
  Anomaly
  ~~~~~~~
  
diff --git a/doc/userguide/partials/eve-log.yaml b/doc/userguide/partials/eve-log.yaml

index a96bc90e8a1b4cde0ef76b91578c6aaf3d413c95..68a4b67064428383b3d46a0022bc2d6311abb552 100644 (file)
--- a/doc/userguide/partials/eve-log.yaml
+++ b/doc/userguide/partials/eve-log.yaml
@@ -75,6 +75,19 @@ outputs:
              # payload-length: yes      # enable dumping payload length, including the gaps
              # packet: yes              # enable dumping of packet (without stream segments)
              # metadata: no             # enable inclusion of app layer metadata with alert. Default yes
+            # If you want metadata, use:
+            # metadata:
+              # Include the decoded application layer (ie. http, dns)
+              #app-layer: true
+              # Log the current state of the flow record.
+              #flow: true
+              #rule:
+                # Log the metadata field from the rule in a structured
+                # format.
+                #metadata: true
+                # Log the raw rule text.
+                #raw: false
+                #reference: false      # include reference information from the rule
              # http-body: yes           # Requires metadata; enable dumping of HTTP body in Base64
              # http-body-printable: yes # Requires metadata; enable dumping of HTTP body in printable format
              # websocket-payload: yes   # Requires metadata; enable dumping of WebSocket Payload in Base64
diff --git a/src/output-json-alert.c b/src/output-json-alert.c

index f2e40641408b13a47622b897186018d79f2f4e7b..11563e28a9160449e929f3a4206ac8b361c41a3e 100644 (file)
--- a/src/output-json-alert.c
+++ b/src/output-json-alert.c
@@ -244,11 +244,11 @@ void AlertJsonHeader(void *ctx, const Packet *p, const PacketAlert *pa, JsonBuil
          AlertJsonSourceTarget(p, pa, js, addr);
      }
  
-    if ((json_output_ctx != NULL) && (flags & LOG_JSON_REFERENCE)) {
+    if ((flags & LOG_JSON_REFERENCE)) {
          AlertJsonReference(pa, js);
      }
  
-    if ((json_output_ctx != NULL) && (flags & LOG_JSON_RULE_METADATA)) {
+    if (flags & LOG_JSON_RULE_METADATA) {
          AlertJsonMetadata(json_output_ctx, pa, js);
      }
author	Jeff Lucovsky <jeff.lucovsky@corelight.com>
	Tue, 30 Apr 2024 17:11:50 +0000 (13:11 -0400)
committer	Victor Julien <victor@inliniac.net>
	Wed, 18 Sep 2024 08:31:03 +0000 (10:31 +0200)
doc/userguide/output/eve/eve-json-output.rst		patch \| blob \| blame \| history
doc/userguide/partials/eve-log.yaml		patch \| blob \| blame \| history
src/output-json-alert.c		patch \| blob \| blame \| history