Output alert applayer v14.1 #9839
Conversation
Especially fix setup-app-layer script to not forget this part This allows, for simple loggers, to have a unique definition of the actual logging function with the jsonbuilder. This way, alerts, files, and app-layer event can share the code to output the same data. Ticket: OISF#3827
Ticket: 6500
Ticket: 6501
Ticket: 5977
catenacyber
requested review from
jasonish,
victorjulien and
a team
as code owners
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## master #9839 +/- ##
==========================================
- Coverage 82.42% 82.42% -0.01%
==========================================
Files 972 972
Lines 273929 273780 -149
==========================================
- Hits 225788 225658 -130
+ Misses 48141 48122 -19
Flags with carried forward coverage won't be shown. Click here to find out more. |
|
Information: QA ran without warnings. Pipeline 16647 |
| @@ -208,4 +208,13 @@ void OutputLoggerExitPrintStats(ThreadVars *, void *); | |||
| void OutputSetupActiveLoggers(void); | |||
| void OutputClearActiveLoggers(void); | |||
|
|
|||
| typedef bool (*SimpleJsonTxLogFunc)(void *, struct JsonBuilder *); | |||
There was a problem hiding this comment.
I don't like this "SimpleJson" name space. I would like to move all our Eve related logic to start using the Eve namespace. So I guess here we'd use EveSimpleTxLogFunc
There was a problem hiding this comment.
While I've moved some Json stuff to "Eve" in the past, I have recently been questioning this. JSON logging is straightforward and requires no explanation. What is "Eve" logging? What does it stand for? :) It always requires more explanation than JSON logging.
There was a problem hiding this comment.
Renaming to EveJsonSimpleTxLogFunc then
| SimpleJsonTxLogFunc LogTx; | ||
| } SimpleJsonAppLayerLogger; | ||
|
|
||
| SimpleJsonAppLayerLogger *GetAppProtoSimpleJsonLogger(AppProto alproto); |
There was a problem hiding this comment.
Lets also start with the namespace here, so EveSimpleGetLogger or some variant of that
There was a problem hiding this comment.
I guess SCEve... as its in public namespace.
There was a problem hiding this comment.
Renaming to SCEveJsonSimpleGetLogger
|
Replaced by #9851 |
Link to redmine tickets:
https://redmine.openinfosecfoundation.org/issues/3827
https://redmine.openinfosecfoundation.org/issues/5977
https://redmine.openinfosecfoundation.org/issues/6500
https://redmine.openinfosecfoundation.org/issues/6501
preliminary work for https://redmine.openinfosecfoundation.org/issues/5053 and app-layer plugins
Describe changes:
After that, there is still to take from #9812
SimpleTxLogFuncfrom a JsonGenericLogger to remove many C files#9797 rebased and referencing improved S-V tests
OISF/suricata-verify#1482