From: Victor Julien <vjulien@oisf.net>
Date: Thu, 23 Nov 2023 05:49:41 +0000 (+0100)
Subject: eve/frame: implement payload-buffer-size option
X-Git-Tag: suricata-8.0.0-beta1~1621
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=829bab295b1bdf58c7df00a62b2d083294744b5c;p=thirdparty%2Fsuricata.git

eve/frame: implement payload-buffer-size option

Modeled after the same option in eve/alert. Defaults to 4k.
---

diff --git a/src/output-json-frame.c b/src/output-json-frame.c
index 665010a6e4..3bccdc6b2f 100644
--- a/src/output-json-frame.c
+++ b/src/output-json-frame.c
@@ -482,8 +482,22 @@ static OutputInitResult JsonFrameLogInitCtxSub(ConfNode *conf, OutputCtx *parent
         goto error;
     }
 
+    uint32_t payload_buffer_size = 4096;
+    if (conf != NULL) {
+        const char *payload_buffer_value = ConfNodeLookupChildValue(conf, "payload-buffer-size");
+        if (payload_buffer_value != NULL) {
+            uint32_t value;
+            if (ParseSizeStringU32(payload_buffer_value, &value) < 0) {
+                SCLogError("Error parsing payload-buffer-size \"%s\"", payload_buffer_value);
+                goto error;
+            }
+            payload_buffer_size = value;
+        }
+    }
+
     json_output_ctx->file_ctx = ajt->file_ctx;
     json_output_ctx->eve_ctx = ajt;
+    json_output_ctx->payload_buffer_size = payload_buffer_size;
 
     output_ctx->data = json_output_ctx;
     output_ctx->DeInit = JsonFrameLogDeInitCtxSub;
diff --git a/suricata.yaml.in b/suricata.yaml.in
index a6d91b27d4..38f5152f5d 100644
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -177,6 +177,7 @@ outputs:
         - frame:
             # disabled by default as this is very verbose.
             enabled: no
+            # payload-buffer-size: 4kb # max size of frame payload buffer to output in eve-log
         - anomaly:
             # Anomaly log records describe unexpected conditions such
             # as truncated packets, packets with invalid IP/UDP/TCP