eve: add tx_id to output for alerts and events

author Victor Julien <victor@inliniac.net>

Sat, 12 Jul 2014 07:25:21 +0000 (09:25 +0200)

committer Victor Julien <victor@inliniac.net>

Wed, 30 Jul 2014 12:47:31 +0000 (14:47 +0200)
author Victor Julien <victor@inliniac.net>
Sat, 12 Jul 2014 07:25:21 +0000 (09:25 +0200)
committer Victor Julien <victor@inliniac.net>
Wed, 30 Jul 2014 12:47:31 +0000 (14:47 +0200)
diff --git a/src/output-json-alert.c b/src/output-json-alert.c

index 353d66f268546f8fe9e7e0464a72213ada69587c..58bdad36a79c1b0f4899d7861f25a1dbd6660423 100644 (file)
--- a/src/output-json-alert.c
+++ b/src/output-json-alert.c
@@ -135,6 +135,9 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
                              json_string((pa->s->class_msg) ? pa->s->class_msg : ""));
          json_object_set_new(ajs, "severity", json_integer(pa->s->prio));
  
+        if (pa->flags & PACKET_ALERT_FLAG_TX)
+            json_object_set_new(ajs, "tx_id", json_integer(pa->tx_id));
+
          /* alert */
          json_object_set_new(js, "alert", ajs);
  
diff --git a/src/output-json-dns.c b/src/output-json-dns.c

index 066ce8901ca2e237b4d56d603e0bb0d43b1e6804..71d8adb8202b01c071c37aafcda2b757af086bd1 100644 (file)
--- a/src/output-json-dns.c
+++ b/src/output-json-dns.c
@@ -70,7 +70,9 @@ typedef struct LogDnsLogThread_ {
      MemBuffer *buffer;
  } LogDnsLogThread;
  
-static void LogQuery(LogDnsLogThread *aft, json_t *js, DNSTransaction *tx, DNSQueryEntry *entry) {
+static void LogQuery(LogDnsLogThread *aft, json_t *js, DNSTransaction *tx,
+        uint64_t tx_id, DNSQueryEntry *entry)
+{
      MemBuffer *buffer = (MemBuffer *)aft->buffer;
  
      SCLogDebug("got a DNS request and now logging !!");
@@ -102,6 +104,9 @@ static void LogQuery(LogDnsLogThread *aft, json_t *js, DNSTransaction *tx, DNSQu
      DNSCreateTypeString(entry->type, record, sizeof(record));
      json_object_set_new(djs, "rrtype", json_string(record));
  
+    /* tx id (tx counter) */
+    json_object_set_new(djs, "tx_id", json_integer(tx_id));
+
      /* dns */
      json_object_set_new(js, "dns", djs);
      OutputJSONBuffer(js, aft->dnslog_ctx->file_ctx, buffer);
@@ -174,7 +179,7 @@ static void OutputAnswer(LogDnsLogThread *aft, json_t *djs, DNSTransaction *tx,
      return;
  }
  
-static void LogAnswers(LogDnsLogThread *aft, json_t *js, DNSTransaction *tx) {
+static void LogAnswers(LogDnsLogThread *aft, json_t *js, DNSTransaction *tx, uint64_t tx_id) {
  
      SCLogDebug("got a DNS response and now logging !!");
  
@@ -208,7 +213,7 @@ static int JsonDnsLogger(ThreadVars *tv, void *thread_data, const Packet *p, Flo
          if (unlikely(js == NULL))
              return TM_ECODE_OK;
  
-        LogQuery(td, js, tx, query);
+        LogQuery(td, js, tx, tx_id, query);
  
          json_decref(js);
      }
@@ -217,7 +222,7 @@ static int JsonDnsLogger(ThreadVars *tv, void *thread_data, const Packet *p, Flo
      if (unlikely(js == NULL))
          return TM_ECODE_OK;
  
-    LogAnswers(td, js, tx);
+    LogAnswers(td, js, tx, tx_id);
  
      json_decref(js);
  
diff --git a/src/output-json-file.c b/src/output-json-file.c

index 9aa417122d56c84c20b57173e7c6bd4dbaaad242..e56ef579d5f79fc5ca85c4b8577613aaae821908 100644 (file)
--- a/src/output-json-file.c
+++ b/src/output-json-file.c
@@ -232,6 +232,7 @@ static void FileWriteJsonRecord(JsonFileLogThread *aft, const Packet *p, const F
      json_object_set_new(fjs, "stored",
                          (ff->flags & FILE_STORED) ? json_true() : json_false());
      json_object_set_new(fjs, "size", json_integer(ff->size));
+    json_object_set_new(fjs, "tx_id", json_integer(ff->txid));
  
      /* originally just 'file', but due to bug 1127 naming it fileinfo */
      json_object_set_new(js, "fileinfo", fjs);
diff --git a/src/output-json-http.c b/src/output-json-http.c

index 9ed0df1f0089d6dd2bc649c81d7de11bb81bfa7b..827cff89d7871133427e36411e161de73d6b6e11 100644 (file)
--- a/src/output-json-http.c
+++ b/src/output-json-http.c
@@ -180,7 +180,7 @@ struct {
  
  
  /* JSON format logging */
-static void JsonHttpLogJSON(JsonHttpLogThread *aft, json_t *js, htp_tx_t *tx)
+static void JsonHttpLogJSON(JsonHttpLogThread *aft, json_t *js, htp_tx_t *tx, uint64_t tx_id)
  {
      LogHttpFileCtx *http_ctx = aft->httplog_ctx;
      json_t *hjs = json_object();
@@ -348,6 +348,9 @@ static void JsonHttpLogJSON(JsonHttpLogThread *aft, json_t *js, htp_tx_t *tx)
          json_object_set_new(hjs, "length", json_integer(tx->response_message_len));
      }
  
+    /* tx id for correlation with alerts */
+    json_object_set_new(hjs, "tx_id", json_integer(tx_id));
+
      json_object_set_new(js, "http", hjs);
  }
  
@@ -368,7 +371,7 @@ static int JsonHttpLogger(ThreadVars *tv, void *thread_data, const Packet *p, Fl
      /* reset */
      MemBufferReset(buffer);
  
-    JsonHttpLogJSON(jhl, js, tx);
+    JsonHttpLogJSON(jhl, js, tx, tx_id);
  
      OutputJSONBuffer(js, jhl->httplog_ctx->file_ctx, buffer);
      json_object_del(js, "http");
author	Victor Julien <victor@inliniac.net>
	Sat, 12 Jul 2014 07:25:21 +0000 (09:25 +0200)
committer	Victor Julien <victor@inliniac.net>
	Wed, 30 Jul 2014 12:47:31 +0000 (14:47 +0200)
src/output-json-alert.c		patch \| blob \| blame \| history
src/output-json-dns.c		patch \| blob \| blame \| history
src/output-json-file.c		patch \| blob \| blame \| history
src/output-json-http.c		patch \| blob \| blame \| history