eve.stats: make decoder event prefix configurable

src/counters.c

@@ -100,6 +100,7 @@ static char stats_enabled = TRUE;
 
 /**< add decoder events as stats? enabled by default */
 bool stats_decoder_events = true;
+const char *stats_decoder_events_prefix = "decoder";
 /**< add stream events as stats? disabled by default */
 bool stats_stream_events = false;
 
@@ -252,6 +253,17 @@ static void StatsInitCtx(void)
         if (ret) {
             stats_stream_events = (b == 1);
         }
+
+        const char *prefix = NULL;
+        if (ConfGet("stats.decoder-events-prefix", &prefix) != 1) {
+            prefix = "decoder";
+            SCLogWarning(SC_WARN_DEFAULT_WILL_CHANGE, "in 5.0 the default "
+                    "for decoder event stats will go from "
+                    "'decoder.<proto>.<event>' to 'decoder.event.<proto>.<event>'. "
+                    "See ticket #2225. To suppress this message, "
+                    "set stats.decoder-events-prefix in the yaml.");
+        }
+        stats_decoder_events_prefix = prefix;
     }
 
     if (!OutputStatsLoggersRegistered()) {

src/decode.c

@@ -1,4 +1,4 @@
-/* Copyright (C) 2007-2014 Open Information Security Foundation
+/* Copyright (C) 2007-2019 Open Information Security Foundation
  *
  * You can copy, redistribute or modify this Program under the terms of
  * the GNU General Public License version 2 as published by the Free
@@ -68,6 +68,7 @@
 #include "output-flow.h"
 
 extern bool stats_decoder_events;
+const char *stats_decoder_events_prefix;
 extern bool stats_stream_events;
 
 int DecodeTunnel(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p,
@@ -501,7 +502,8 @@ void DecodeRegisterPerfCounters(DecodeThreadVars *dtv, ThreadVars *tv)
             char name[256];
             char *dot = index(DEvents[i].event_name, '.');
             BUG_ON(!dot);
-            snprintf(name, sizeof(name), "decoder.events.%s", dot+1);
+            snprintf(name, sizeof(name), "%s.%s",
+                    stats_decoder_events_prefix, dot+1);
 
             const char *found = HashTableLookup(g_counter_table, name, 0);
             if (!found) {

src/util-error.c

@@ -357,6 +357,7 @@ const char * SCErrorToString(SCError err)
         CASE_CODE (SC_ERR_WINDIVERT_INVALID_FILTER);
         CASE_CODE (SC_ERR_WINDIVERT_TOOLONG_FILTER);
         CASE_CODE (SC_WARN_RUST_NOT_AVAILABLE);
+        CASE_CODE (SC_WARN_DEFAULT_WILL_CHANGE);
 
         CASE_CODE (SC_ERR_MAX);
     }

src/util-error.h

@@ -347,6 +347,7 @@ typedef enum {
     SC_ERR_WINDIVERT_INVALID_FILTER,
     SC_ERR_WINDIVERT_TOOLONG_FILTER,
     SC_WARN_RUST_NOT_AVAILABLE,
+    SC_WARN_DEFAULT_WILL_CHANGE,
 
     SC_ERR_MAX,
 } SCError;

suricata.yaml.in

@@ -62,6 +62,9 @@ stats:
   interval: 8
   # Add decode events as stats.
   #decoder-events: true
+  # Decoder event prefix in stats. Has been 'decoder' before, but that leads
+  # to missing events in the eve.stats records. See issue #2225.
+  decoder-events-prefix: "decoder.event"
   # Add stream events as stats.
   #stream-events: false