eve: metadata setting to enable/disable metadata

This is a top level metadata object containing flowbits,
flowints, pktvars and flowvars.

Enabling it at the top level enables it for all log types.

diff --git a/src/output-json.c b/src/output-json.c
index 26bd123e99899df75b08894ccca4327e084b56d5..03f3df010d1b644f7d22694757154154cc26156a 100644 (file)
--- a/src/output-json.c
+++ b/src/output-json.c
@@ -371,7 +371,7 @@ void JsonAddVars(const Packet *p, const Flow *f, json_t *js)
 /**
  * \brief Add top-level metadata to the eve json object.
  */
-static void JsonAddMetadata(const Packet *p, const Flow *f, json_t *js)
+void JsonAddMetadata(const Packet *p, const Flow *f, json_t *js)
 {
     if ((p && p->pktvar) || (f && f->flowvar)) {
         json_t *js_vars = json_object();
@@ -579,9 +579,6 @@ json_t *CreateJSONHeader(const Packet *p, int direction_sensitive,
     /* 5-tuple */
     JsonFiveTuple(p, direction_sensitive, js);
 
-    /* Metadata. */
-    JsonAddMetadata(p, f, js);
-
     /* icmp */
     switch (p->proto) {
         case IPPROTO_ICMP:
@@ -833,6 +830,15 @@ OutputInitResult OutputJsonInitCtx(ConfNode *conf)
             }
         }
 
+        /* Check if top-level metadata should be logged. */
+        const ConfNode *metadata = ConfNodeLookupChild(conf, "metadata");
+        if (metadata && metadata->val && ConfValIsFalse(metadata->val)) {
+            SCLogConfig("Disabling eve metadata logging.");
+            json_ctx->include_metadata = false;
+        } else {
+            json_ctx->include_metadata = true;
+        }
+
         json_ctx->file_ctx->type = json_ctx->json_out;
     }
 

diff --git a/src/output-json.h b/src/output-json.h
index 637d4b5ebdfce768ca0e17e2f43d578d36ff8500..c912a19dab5762f5a37775a61a7202b95c7dd900 100644 (file)
--- a/src/output-json.h
+++ b/src/output-json.h
@@ -41,6 +41,7 @@ typedef struct OutputJSONMemBufferWrapper_ {
 int OutputJSONMemBufferCallback(const char *str, size_t size, void *data);
 
 void JsonAddVars(const Packet *p, const Flow *f, json_t *js);
+void JsonAddMetadata(const Packet *p, const Flow *f, json_t *js);
 void CreateJSONFlowId(json_t *js, const Flow *f);
 void JsonTcpFlags(uint8_t flags, json_t *js);
 void JsonFiveTuple(const Packet *, int, json_t *);
@@ -55,6 +56,7 @@ OutputInitResult OutputJsonInitCtx(ConfNode *);
 typedef struct OutputJsonCtx_ {
     LogFileCtx *file_ctx;
     enum LogFileType json_out;
+    bool include_metadata;
 } OutputJsonCtx;
 
 json_t *SCJsonBool(int val);

diff --git a/suricata.yaml.in b/suricata.yaml.in
index 5bcb100befedd7815f6bc03c1d8e4c30efb7fa0b..068bce55b756d4ae38575e97490543a1ad17cf40 100644 (file)
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -163,6 +163,10 @@ outputs:
       #  pipelining:
       #    enabled: yes ## set enable to yes to enable query pipelining
       #    batch-size: 10 ## number of entry to keep in buffer
+
+      # Include top level metadata. Default yes.
+      #metadata: no
+
       types:
         - alert:
             # payload: yes             # enable dumping payload in Base64