From: Jason Ish <ish@unx.ca>
Date: Mon, 11 Dec 2017 21:48:14 +0000 (-0600)
Subject: eve: metadata setting to enable/disable metadata
X-Git-Tag: suricata-4.1.0-beta1~268
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dd988d9934286535897e3c5e9215d85ff7b1523f;p=thirdparty%2Fsuricata.git

eve: metadata setting to enable/disable metadata

This is a top level metadata object containing flowbits,
flowints, pktvars and flowvars.

Enabling it at the top level enables it for all log types.
---

diff --git a/src/output-json.c b/src/output-json.c
index 26bd123e99..03f3df010d 100644
--- a/src/output-json.c
+++ b/src/output-json.c
@@ -371,7 +371,7 @@ void JsonAddVars(const Packet *p, const Flow *f, json_t *js)
 /**
  * \brief Add top-level metadata to the eve json object.
  */
-static void JsonAddMetadata(const Packet *p, const Flow *f, json_t *js)
+void JsonAddMetadata(const Packet *p, const Flow *f, json_t *js)
 {
     if ((p && p->pktvar) || (f && f->flowvar)) {
         json_t *js_vars = json_object();
@@ -579,9 +579,6 @@ json_t *CreateJSONHeader(const Packet *p, int direction_sensitive,
     /* 5-tuple */
     JsonFiveTuple(p, direction_sensitive, js);
 
-    /* Metadata. */
-    JsonAddMetadata(p, f, js);
-
     /* icmp */
     switch (p->proto) {
         case IPPROTO_ICMP:
@@ -833,6 +830,15 @@ OutputInitResult OutputJsonInitCtx(ConfNode *conf)
             }
         }
 
+        /* Check if top-level metadata should be logged. */
+        const ConfNode *metadata = ConfNodeLookupChild(conf, "metadata");
+        if (metadata && metadata->val && ConfValIsFalse(metadata->val)) {
+            SCLogConfig("Disabling eve metadata logging.");
+            json_ctx->include_metadata = false;
+        } else {
+            json_ctx->include_metadata = true;
+        }
+
         json_ctx->file_ctx->type = json_ctx->json_out;
     }
 
diff --git a/src/output-json.h b/src/output-json.h
index 637d4b5ebd..c912a19dab 100644
--- a/src/output-json.h
+++ b/src/output-json.h
@@ -41,6 +41,7 @@ typedef struct OutputJSONMemBufferWrapper_ {
 int OutputJSONMemBufferCallback(const char *str, size_t size, void *data);
 
 void JsonAddVars(const Packet *p, const Flow *f, json_t *js);
+void JsonAddMetadata(const Packet *p, const Flow *f, json_t *js);
 void CreateJSONFlowId(json_t *js, const Flow *f);
 void JsonTcpFlags(uint8_t flags, json_t *js);
 void JsonFiveTuple(const Packet *, int, json_t *);
@@ -55,6 +56,7 @@ OutputInitResult OutputJsonInitCtx(ConfNode *);
 typedef struct OutputJsonCtx_ {
     LogFileCtx *file_ctx;
     enum LogFileType json_out;
+    bool include_metadata;
 } OutputJsonCtx;
 
 json_t *SCJsonBool(int val);
diff --git a/suricata.yaml.in b/suricata.yaml.in
index 5bcb100bef..068bce55b7 100644
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -163,6 +163,10 @@ outputs:
       #  pipelining:
       #    enabled: yes ## set enable to yes to enable query pipelining
       #    batch-size: 10 ## number of entry to keep in buffer
+
+      # Include top level metadata. Default yes.
+      #metadata: no
+
       types:
         - alert:
             # payload: yes             # enable dumping payload in Base64