From afa58de371c92c7037214342545b48edd492122f Mon Sep 17 00:00:00 2001 From: Jason Ish Date: Mon, 26 Jun 2023 10:57:00 -0600 Subject: [PATCH] eve/alert: warn on obsolete flags Log a warning on obsolete flags. If the flag is to enable, do the enable. But do not honor disable flags, as these could override the new settings and cause hard to debug issues. Ticket: #6175 --- src/output-json-alert.c | 47 +++++++++++++++++++++++++++++++++++------ 1 file changed, 40 insertions(+), 7 deletions(-) diff --git a/src/output-json-alert.c b/src/output-json-alert.c index 76b296de80..9202d308e7 100644 --- a/src/output-json-alert.c +++ b/src/output-json-alert.c @@ -35,6 +35,7 @@ #include "threadvars.h" #include "util-debug.h" +#include "util-error.h" #include "util-logopenfile.h" #include "util-misc.h" #include "util-unittest.h" @@ -871,6 +872,38 @@ static void SetFlag(const ConfNode *conf, const char *name, uint16_t flag, uint1 } } +/** + * \brief Set, but don't unset and warn about deprecated flags. + */ +static void SetDeprecatedFlag( + const ConfNode *conf, const char *name, uint16_t flag, uint16_t *out_flags) +{ + DEBUG_VALIDATE_BUG_ON(conf == NULL); + const char *setting = ConfNodeLookupChildValue(conf, name); + if (setting != NULL) { + if (ConfValIsTrue(setting)) { + if (flag == LOG_JSON_APP_LAYER) { + SCLogWarning(SC_WARN_DEPRECATED, + "Found deprecated eve-log.alert app-layer flag \"%s\", enabling " + "metadata.app-layer", + name); + } else if (flag == LOG_JSON_FLOW) { + SCLogWarning(SC_WARN_DEPRECATED, + "Found deprecated eve-log.alert \"flow\" flag, enabling metadata.flow"); + } else { + SCLogWarning(SC_WARN_DEPRECATED, + "Found deprecated eve-log.alert flag \"%s\", please update your " + "configuration", + name); + } + *out_flags |= flag; + } else { + SCLogWarning(SC_WARN_DEPRECATED, + "Ignoring deprecated eve-log.alert flag \"%s\", this flag has no effect", name); + } + } +} + #define DEFAULT_LOG_FILENAME "alert.json" static void JsonAlertLogSetupMetadata(AlertJsonOutputCtx *json_output_ctx, @@ -909,17 +942,17 @@ static void JsonAlertLogSetupMetadata(AlertJsonOutputCtx *json_output_ctx, /* Check for obsolete configuration flags to enable specific * protocols. These are now just aliases for enabling * app-layer logging. */ - SetFlag(conf, "http", LOG_JSON_APP_LAYER, &flags); - SetFlag(conf, "tls", LOG_JSON_APP_LAYER, &flags); - SetFlag(conf, "ssh", LOG_JSON_APP_LAYER, &flags); - SetFlag(conf, "smtp", LOG_JSON_APP_LAYER, &flags); - SetFlag(conf, "dnp3", LOG_JSON_APP_LAYER, &flags); + SetDeprecatedFlag(conf, "http", LOG_JSON_APP_LAYER, &flags); + SetDeprecatedFlag(conf, "tls", LOG_JSON_APP_LAYER, &flags); + SetDeprecatedFlag(conf, "ssh", LOG_JSON_APP_LAYER, &flags); + SetDeprecatedFlag(conf, "smtp", LOG_JSON_APP_LAYER, &flags); + SetDeprecatedFlag(conf, "dnp3", LOG_JSON_APP_LAYER, &flags); /* And check for obsolete configuration flags for enabling * app-layer and flow as these have been moved under the * metadata key. */ - SetFlag(conf, "app-layer", LOG_JSON_APP_LAYER, &flags); - SetFlag(conf, "flow", LOG_JSON_FLOW, &flags); + SetDeprecatedFlag(conf, "app-layer", LOG_JSON_APP_LAYER, &flags); + SetDeprecatedFlag(conf, "flow", LOG_JSON_FLOW, &flags); const char *payload_buffer_value = ConfNodeLookupChildValue(conf, "payload-buffer-size"); -- 2.47.2