| Message ID | 20190604130024.15439-1-ummeegge@ipfire.org |
|---|---|
| State | Accepted |
| Commit | 21a838238378b531551f42e2c582f0c5f82ca26f |
| Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.i.ipfire.org [172.28.1.200]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail01.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web07.i.ipfire.org (Postfix) with ESMTPS id E36D0888938 for <patchwork@web07.i.ipfire.org>; Tue, 4 Jun 2019 14:00:34 +0100 (BST) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 45JBqQ1B2Bz583cL; Tue, 4 Jun 2019 14:00:34 +0100 (BST) Received: from ipfire-server.local (i59F72943.versanet.de [89.247.41.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 45JBqM5697z583bx; Tue, 4 Jun 2019 14:00:31 +0100 (BST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201904rsa; t=1559653231; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc; bh=BdnbGnU6XP9ohWjEwdtVoHvzPIOrchV2uvy83rcln0w=; b=YCitL+zH7FujBYGL8HTMAhhzdZ0f5n32w6kn3spaXpRu+exuN6hk2r6/iNH7LxqqlZW330 AxnkvuDCrO7lkNvKdCJR3fDSPwU/HLfOw1/o/zYTMg6MtHPhRZ2SFZzakzRJ/aBwyBNGoZ F2WMRA/gux/GBlFTSL+FEHgRWzj4wtLgVkMLi2uMpxF+k1Oi1GNlb4ejJ2dnThfxfiRujg oDkghY/NejKHuXVjidWvYZie6Ikgh5H+m5Fcl01gzHjtse3WDiAolg0OmVoi5slbEtslhd 2D8l+3GR9cnbSPoKh0uJZ3w7st7jfT/GpTByQTdQdLoyfpl6MD93lpsI//oeFw== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=201904ed25519; t=1559653231; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc; bh=BdnbGnU6XP9ohWjEwdtVoHvzPIOrchV2uvy83rcln0w=; b=AmjqT3HQpWbur5yCWCxm5OEcgIqiLMUzZO67MnsaKpjmXHbEDzHacL6ZCUFcS2XVTz7uma 5V05Su4va13fUIAQ== From: Erik Kapfer <ummeegge@ipfire.org> To: development@lists.ipfire.org Subject: [PATCH] suricata: Enable EVE logging Date: Tue, 4 Jun 2019 15:00:24 +0200 Message-Id: <20190604130024.15439-1-ummeegge@ipfire.org> X-Mailer: git-send-email 2.12.2 Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=ummeegge smtp.mailfrom=ummeegge@ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <https://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
| Series |
suricata: Enable EVE logging
|
|
Commit Message
ummeegge
June 4, 2019, 11 p.m. UTC
The EVE output facility outputs alerts, metadata, file info and protocol specific records through JSON.
for further informations please see --> https://suricata.readthedocs.io/en/suricata-4.1.2/output/eve/index.html .
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
---
lfs/suricata | 2 ++
1 file changed, 2 insertions(+)
Comments
Hi Erik, I believe that Stefan has already enabled this in this commit: https://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=616395f37c6d096607283cc17e5554cc03e9bcc6 Are you saying that the library wasn’t linked before? I am not sure what this patch is meant to achieve - assuming that Stefan’s change isn’t broken. -Michael > On 4 Jun 2019, at 14:00, Erik Kapfer <ummeegge@ipfire.org> wrote: > > The EVE output facility outputs alerts, metadata, file info and protocol specific records through JSON. > for further informations please see --> https://suricata.readthedocs.io/en/suricata-4.1.2/output/eve/index.html . > > Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> > --- > lfs/suricata | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/lfs/suricata b/lfs/suricata > index 310920606..6f779d875 100644 > --- a/lfs/suricata > +++ b/lfs/suricata > @@ -80,6 +80,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) > --enable-nfqueue \ > --disable-static \ > --disable-python \ > + --with-libjansson-libraries=/usr/lib \ > + --with-libjansson-includes=/usr/include \ > --disable-suricata-update > cd $(DIR_APP) && make $(MAKETUNING) > cd $(DIR_APP) && make install > -- > 2.12.2 >
Hi Michael, On Mi, 2019-06-05 at 09:53 +0100, Michael Tremer wrote: > Hi Erik, > > I believe that Stefan has already enabled this in this commit: > > > https://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=616395f37c6d096607283cc17e5554cc03e9bcc6 this is indeed a needed step to build Jansson before Suricata, made the same while an experimental try with EVEbox --> https://forum.ipfire.org/viewtopic.php?f=50&t=22693#p124673 but there was also the need to include the jansson libs in the LFS too. > > Are you saying that the library wasn’t linked before? Have looked in version 'v2.23-core131-215-gc899be2fd' where Stefans patch is already included but if i change to chroot and execute a suricata --build-info | grep jansson i get libjansson support: no so yes, i think the library isn´t linked even Jansson has been build before Suricata. > > I am not sure what this patch is meant to achieve - assuming that > Stefan’s change isn’t broken. Possibly Suricata do not searches automatically for libjansson ? > > -Michael Best, Erik > > > On 4 Jun 2019, at 14:00, Erik Kapfer <ummeegge@ipfire.org> wrote: > > > > The EVE output facility outputs alerts, metadata, file info and > > protocol specific records through JSON. > > for further informations please see --> > > https://suricata.readthedocs.io/en/suricata-4.1.2/output/eve/index.html > > . > > > > Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> > > --- > > lfs/suricata | 2 ++ > > 1 file changed, 2 insertions(+) > > > > diff --git a/lfs/suricata b/lfs/suricata > > index 310920606..6f779d875 100644 > > --- a/lfs/suricata > > +++ b/lfs/suricata > > @@ -80,6 +80,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) > > --enable-nfqueue \ > > --disable-static \ > > --disable-python \ > > + --with-libjansson-libraries=/usr/lib \ > > + --with-libjansson-includes=/usr/include \ > > --disable-suricata-update > > cd $(DIR_APP) && make $(MAKETUNING) > > cd $(DIR_APP) && make install > > -- > > 2.12.2 > > > >
Hello Michael & Erik, when building suricata here, the build process automatically detected and successfully linked the final suricata binary against libjannson. I'm fine with your patch, because it hard switches libjannson support to on and the entire build process would be fail, if the library could not be linked or the include files are missing.... Best regards, -Stefan Acked-by: Stefan Schantl <stefan.schantl@ipfire.org> > Hi Michael, > > On Mi, 2019-06-05 at 09:53 +0100, Michael Tremer wrote: > > Hi Erik, > > > > I believe that Stefan has already enabled this in this commit: > > > > > > https://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=616395f37c6d096607283cc17e5554cc03e9bcc6 > > this is indeed a needed step to build Jansson before Suricata, > made the same while an experimental try with EVEbox > --> https://forum.ipfire.org/viewtopic.php?f=50&t=22693#p124673 > but there was also the need to include the jansson libs in the LFS > too. > > > Are you saying that the library wasn’t linked before? > Have looked in version 'v2.23-core131-215-gc899be2fd' where Stefans > patch is already included but if i change to chroot and execute a > > suricata --build-info | grep jansson > > i get > > libjansson support: no > > so yes, i think the library isn´t linked even Jansson has been build > before Suricata. > > > > I am not sure what this patch is meant to achieve - assuming that > > Stefan’s change isn’t broken. > Possibly Suricata do not searches automatically for libjansson ? > > > -Michael > > Best, > > Erik > > > > On 4 Jun 2019, at 14:00, Erik Kapfer <ummeegge@ipfire.org> wrote: > > > > > > The EVE output facility outputs alerts, metadata, file info and > > > protocol specific records through JSON. > > > for further informations please see --> > > > https://suricata.readthedocs.io/en/suricata-4.1.2/output/eve/index.html > > > . > > > > > > Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> > > > --- > > > lfs/suricata | 2 ++ > > > 1 file changed, 2 insertions(+) > > > > > > diff --git a/lfs/suricata b/lfs/suricata > > > index 310920606..6f779d875 100644 > > > --- a/lfs/suricata > > > +++ b/lfs/suricata > > > @@ -80,6 +80,8 @@ $(TARGET) : $(patsubst > > > %,$(DIR_DL)/%,$(objects)) > > > --enable-nfqueue \ > > > --disable-static \ > > > --disable-python \ > > > + --with-libjansson-libraries=/usr/lib \ > > > + --with-libjansson-includes=/usr/include \ > > > --disable-suricata-update > > > cd $(DIR_APP) && make $(MAKETUNING) > > > cd $(DIR_APP) && make install > > > -- > > > 2.12.2 > > >
Okay. Merged. > On 5 Jun 2019, at 18:10, Stefan Schantl <stefan.schantl@ipfire.org> wrote: > > Hello Michael & Erik, > > when building suricata here, the build process automatically detected > and successfully linked the final suricata binary against libjannson. > > I'm fine with your patch, because it hard switches libjannson support > to on and the entire build process would be fail, if the library could > not be linked or the include files are missing.... > > Best regards, > > -Stefan > > Acked-by: Stefan Schantl <stefan.schantl@ipfire.org> > >> Hi Michael, >> >> On Mi, 2019-06-05 at 09:53 +0100, Michael Tremer wrote: >>> Hi Erik, >>> >>> I believe that Stefan has already enabled this in this commit: >>> >>> >>> https://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=616395f37c6d096607283cc17e5554cc03e9bcc6 >> >> this is indeed a needed step to build Jansson before Suricata, >> made the same while an experimental try with EVEbox >> --> https://forum.ipfire.org/viewtopic.php?f=50&t=22693#p124673 >> but there was also the need to include the jansson libs in the LFS >> too. >> >>> Are you saying that the library wasn’t linked before? >> Have looked in version 'v2.23-core131-215-gc899be2fd' where Stefans >> patch is already included but if i change to chroot and execute a >> >> suricata --build-info | grep jansson >> >> i get >> >> libjansson support: no >> >> so yes, i think the library isn´t linked even Jansson has been build >> before Suricata. >> >> >>> I am not sure what this patch is meant to achieve - assuming that >>> Stefan’s change isn’t broken. >> Possibly Suricata do not searches automatically for libjansson ? >> >>> -Michael >> >> Best, >> >> Erik >> >>>> On 4 Jun 2019, at 14:00, Erik Kapfer <ummeegge@ipfire.org> wrote: >>>> >>>> The EVE output facility outputs alerts, metadata, file info and >>>> protocol specific records through JSON. >>>> for further informations please see --> >>>> https://suricata.readthedocs.io/en/suricata-4.1.2/output/eve/index.html >>>> . >>>> >>>> Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> >>>> --- >>>> lfs/suricata | 2 ++ >>>> 1 file changed, 2 insertions(+) >>>> >>>> diff --git a/lfs/suricata b/lfs/suricata >>>> index 310920606..6f779d875 100644 >>>> --- a/lfs/suricata >>>> +++ b/lfs/suricata >>>> @@ -80,6 +80,8 @@ $(TARGET) : $(patsubst >>>> %,$(DIR_DL)/%,$(objects)) >>>> --enable-nfqueue \ >>>> --disable-static \ >>>> --disable-python \ >>>> + --with-libjansson-libraries=/usr/lib \ >>>> + --with-libjansson-includes=/usr/include \ >>>> --disable-suricata-update >>>> cd $(DIR_APP) && make $(MAKETUNING) >>>> cd $(DIR_APP) && make install >>>> -- >>>> 2.12.2 >>>>
Hi Stevee and Michael, thank you both for checking this out and for the merge. Best, Erik On Do, 2019-06-06 at 08:54 +0100, Michael Tremer wrote: > Okay. Merged. > > > On 5 Jun 2019, at 18:10, Stefan Schantl <stefan.schantl@ipfire.org> > > wrote: > > > > Hello Michael & Erik, > > > > when building suricata here, the build process automatically > > detected > > and successfully linked the final suricata binary against > > libjannson. > > > > I'm fine with your patch, because it hard switches libjannson > > support > > to on and the entire build process would be fail, if the library > > could > > not be linked or the include files are missing.... > > > > Best regards, > > > > -Stefan > > > > Acked-by: Stefan Schantl <stefan.schantl@ipfire.org> > > > > > Hi Michael, > > > > > > On Mi, 2019-06-05 at 09:53 +0100, Michael Tremer wrote: > > > > Hi Erik, > > > > > > > > I believe that Stefan has already enabled this in this commit: > > > > > > > > > > > > https://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=616395f37c6d096607283cc17e5554cc03e9bcc6 > > > > > > this is indeed a needed step to build Jansson before Suricata, > > > made the same while an experimental try with EVEbox > > > --> https://forum.ipfire.org/viewtopic.php?f=50&t=22693#p124673 > > > but there was also the need to include the jansson libs in the > > > LFS > > > too. > > > > > > > Are you saying that the library wasn’t linked before? > > > > > > Have looked in version 'v2.23-core131-215-gc899be2fd' where > > > Stefans > > > patch is already included but if i change to chroot and execute a > > > > > > suricata --build-info | grep jansson > > > > > > i get > > > > > > libjansson support: no > > > > > > so yes, i think the library isn´t linked even Jansson has been > > > build > > > before Suricata. > > > > > > > > > > I am not sure what this patch is meant to achieve - assuming > > > > that > > > > Stefan’s change isn’t broken. > > > > > > Possibly Suricata do not searches automatically for libjansson ? > > > > > > > -Michael > > > > > > Best, > > > > > > Erik > > > > > > > > On 4 Jun 2019, at 14:00, Erik Kapfer <ummeegge@ipfire.org> > > > > > wrote: > > > > > > > > > > The EVE output facility outputs alerts, metadata, file info > > > > > and > > > > > protocol specific records through JSON. > > > > > for further informations please see --> > > > > > https://suricata.readthedocs.io/en/suricata-4.1.2/output/eve/index.html > > > > > . > > > > > > > > > > Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> > > > > > --- > > > > > lfs/suricata | 2 ++ > > > > > 1 file changed, 2 insertions(+) > > > > > > > > > > diff --git a/lfs/suricata b/lfs/suricata > > > > > index 310920606..6f779d875 100644 > > > > > --- a/lfs/suricata > > > > > +++ b/lfs/suricata > > > > > @@ -80,6 +80,8 @@ $(TARGET) : $(patsubst > > > > > %,$(DIR_DL)/%,$(objects)) > > > > > --enable-nfqueue \ > > > > > --disable-static \ > > > > > --disable-python \ > > > > > + --with-libjansson-libraries=/usr/lib \ > > > > > + --with-libjansson-includes=/usr/include \ > > > > > --disable-suricata-update > > > > > cd $(DIR_APP) && make $(MAKETUNING) > > > > > cd $(DIR_APP) && make install > > > > > -- > > > > > 2.12.2 > > > > > > >
diff --git a/lfs/suricata b/lfs/suricata index 310920606..6f779d875 100644 --- a/lfs/suricata +++ b/lfs/suricata @@ -80,6 +80,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) --enable-nfqueue \ --disable-static \ --disable-python \ + --with-libjansson-libraries=/usr/lib \ + --with-libjansson-includes=/usr/include \ --disable-suricata-update cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install