output-json: add sensor-name config variable

When using redis output, we are loosing the host key (added by logstash or logstash-forwarder) and we can't find anymore what Suricata did cause the alert. This patch is adding this key during message generation using the 'sensor-name' variable or the hostname is 'sensor-name' is not defined.
10 years ago · 60ea49c777
parent 9286360f86
commit 60ea49c777
3 changed files with 29 additions and 2 deletions
--- a/src/output-json.c
+++ b/src/output-json.c
@ -341,8 +341,17 @@ json_t *CreateJSONHeaderWithTxId(Packet *p, int direction_sensitive, char *event

 int OutputJSONBuffer(json_t *js, LogFileCtx *file_ctx, MemBuffer *buffer)
 {
-    char *js_s = json_dumps(js,
-                            JSON_PRESERVE_ORDER|JSON_COMPACT|JSON_ENSURE_ASCII|
+    char *js_s = NULL;
+
+#ifdef HAVE_LIBHIREDIS
+    if (file_ctx->type == LOGFILE_TYPE_REDIS) {
+        json_object_set_new(js, "host",
+                            json_string(file_ctx->redis_setup.sensor_name));
+    }
+#endif
+
+    js_s = json_dumps(js,
+            JSON_PRESERVE_ORDER|JSON_COMPACT|JSON_ENSURE_ASCII|
 #ifdef JSON_ESCAPE_SLASH
                            JSON_ESCAPE_SLASH
 #else
@ -582,11 +591,20 @@ OutputCtx *OutputJsonInitCtx(ConfNode *conf)
 #ifdef HAVE_LIBHIREDIS
        else if (json_ctx->json_out == LOGFILE_TYPE_REDIS) {
            ConfNode *redis_node = ConfNodeLookupChild(conf, "redis");
+            const char *sensor_name = ConfNodeLookupChildValue(conf, "sensor-name");
            const char *redis_server = NULL;
            const char *redis_port = NULL;
            const char *redis_mode = NULL;
            const char *redis_key = NULL;

+            if (!sensor_name) {
+                char hostname[1024];
+                gethostname(hostname, 1023);
+                sensor_name = hostname;
+            }
+            json_ctx->file_ctx->redis_setup.sensor_name = SCStrdup(sensor_name);
+
+
            if (redis_node) {
                redis_server = ConfNodeLookupChildValue(redis_node, "server");
                redis_port =  ConfNodeLookupChildValue(redis_node, "port");
--- a/src/util-logopenfile.h
+++ b/src/util-logopenfile.h
@ -27,7 +27,9 @@
 #include "conf.h"            /* ConfNode   */
 #include "tm-modules.h"      /* LogFileCtx */

+#ifdef HAVE_LIBHIREDIS
 #include "hiredis/hiredis.h"
+#endif

 typedef struct {
    uint16_t fileno;
@ -39,13 +41,16 @@ enum LogFileType { LOGFILE_TYPE_FILE,
                   LOGFILE_TYPE_UNIX_STREAM,
                   LOGFILE_TYPE_REDIS };

+#ifdef HAVE_LIBHIREDIS
 enum RedisMode { REDIS_LIST, REDIS_CHANNEL };

 typedef struct RedisSetup_ {
    enum RedisMode mode;
    char *command;
    char *key;
+    char *sensor_name;
 } RedisSetup;
+#endif

 /** Global structure for Output Context */
 typedef struct LogFileCtx_ {
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@ -44,6 +44,10 @@ host-mode: auto
 #  user: suri
 #  group: suri

+# Some logging module will use that name in event as identifier. The default
+# value is the hostname
+#sensor-name: suricata
+
 # Default pid file.
 # Will use this file if no --pidfile in command options.
 #pid-file: /var/run/suricata.pid