From: Justin Ossevoort Date: Fri, 8 May 2020 13:33:36 +0000 (+0200) Subject: eve: Log tenant_id for all eve-json messages X-Git-Tag: suricata-7.0.0-beta1~1927 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=320de5f43d6b3be88ce69afe57c3d1b0b12c4337;p=thirdparty%2Fsuricata.git eve: Log tenant_id for all eve-json messages --- diff --git a/doc/userguide/configuration/multi-tenant.rst b/doc/userguide/configuration/multi-tenant.rst index 683953a166..5ad0ee7c76 100644 --- a/doc/userguide/configuration/multi-tenant.rst +++ b/doc/userguide/configuration/multi-tenant.rst @@ -215,3 +215,10 @@ unregister-tenant-handler vlan The registration of tenant and tenant handlers can be done on a running engine. + +Eve JSON output +--------------- + +When multi-tenant support is configured and the detect engine is active then +all EVE-types that report based on flows will also report the corresponding +``tenant_id`` for events matching a tenant configuration. diff --git a/doc/userguide/output/eve/eve-json-output.rst b/doc/userguide/output/eve/eve-json-output.rst index a195a021bd..b2079ea457 100644 --- a/doc/userguide/output/eve/eve-json-output.rst +++ b/doc/userguide/output/eve/eve-json-output.rst @@ -501,5 +501,12 @@ YAML:: # Seed value for the ID output. Valid values are 0-65535. community-id-seed: 0 +Multi Tenancy +------------- + +Suricata can be configured to support multiple tenants with different detection +engine configurations. When these tenants are configured and the detection +engine is running then all EVE logging will also report the ``tenant_id`` field +for traffic matching a specific tenant. .. _deprecation policy: https://suricata-ids.org/about/deprecation-policy/ diff --git a/src/output-json.c b/src/output-json.c index 57b4222002..1c1bda58b5 100644 --- a/src/output-json.c +++ b/src/output-json.c @@ -453,6 +453,9 @@ void EveAddCommonOptions(const OutputJsonCommonSettings *cfg, if (cfg->include_community_id && f != NULL) { CreateEveCommunityFlowId(js, f, cfg->community_id_seed); } + if (f != NULL && f->tenant_id > 0) { + jb_set_uint(js, "tenant_id", f->tenant_id); + } } /**