Fix eve 'filetype' parsing

Now that we use 'filetype' instead of 'type', we should also
use 'regular' instead of 'file'.

Added fallback to make sure we stay compatible to old configs.

diff --git a/src/output-json.c b/src/output-json.c
index b8f6ff5ef4fca866213c98813930310cf25be827..547f0ac3d4dcd22e1b0ac51a9524b9eade2ff925 100644 (file)
--- a/src/output-json.c
+++ b/src/output-json.c
@@ -394,7 +394,8 @@ OutputCtx *OutputJsonInitCtx(ConfNode *conf)
         }
 
         if (output_s != NULL) {
-            if (strcmp(output_s, "file") == 0) {
+            if (strcmp(output_s, "file") == 0 ||
+                strcmp(output_s, "regular") == 0) {
                 json_ctx->json_out = ALERT_FILE;
             } else if (strcmp(output_s, "syslog") == 0) {
                 json_ctx->json_out = ALERT_SYSLOG;

diff --git a/src/util-logopenfile.c b/src/util-logopenfile.c
index 6d0a25deac97a2a21ce3ec37be725e34ec6f376e..4e42ceef402f9c8e57955397decaff46033e8d53 100644 (file)
--- a/src/util-logopenfile.c
+++ b/src/util-logopenfile.c
@@ -199,7 +199,8 @@ SCConfLogOpenGeneric(ConfNode *conf,
         log_ctx->fp = SCLogOpenUnixSocketFp(log_path, SOCK_DGRAM);
         if (log_ctx->fp == NULL)
             return -1; // Error already logged by Open...Fp routine
-    } else if (strcasecmp(filetype, DEFAULT_LOG_FILETYPE) == 0) {
+    } else if (strcasecmp(filetype, DEFAULT_LOG_FILETYPE) == 0 ||
+               strcasecmp(filetype, "file") == 0) {
         log_ctx->fp = SCLogOpenFileFp(log_path, append);
         if (log_ctx->fp == NULL)
             return -1; // Error already logged by Open...Fp routine
@@ -216,7 +217,7 @@ SCConfLogOpenGeneric(ConfNode *conf,
             return -1; // Error already logged by Open...Fp routine
     } else {
         SCLogError(SC_ERR_INVALID_YAML_CONF_ENTRY, "Invalid entry for "
-                   "%s.type.  Expected \"regular\" (default), \"unix_stream\", "
+                   "%s.filetype.  Expected \"regular\" (default), \"unix_stream\", "
                    "\"pcie\" "
                    "or \"unix_dgram\"",
                    conf->name);

diff --git a/suricata.yaml.in b/suricata.yaml.in
index df9e4e3015aa42d59d4ff895be3e51e6affe2dd9..9405003eeb104221dcdbc2e43fa0174b1484d1b5 100644 (file)
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -85,7 +85,7 @@ outputs:
   # Extensible Event Format (nicknamed EVE) event log in JSON format
   - eve-log:
       enabled: yes
-      filetype: file #file|syslog|unix_dgram|unix_stream
+      filetype: regular #regular|syslog|unix_dgram|unix_stream
       filename: eve.json
       # the following are valid when type: syslog above
       #identity: "suricata"