27.3.5.1.1. EVE JSON Output Plugin

Extensive Event Format (EVE) JSON logs are the main log format for Suricata, used to output alerts, anomalies, metadata, fileinfo, protocol-specific records and more through JSON. (Read more: Eve JSON Output)

We provide an EVE Output plugin with Suricata, which can be used to post- process Suricata's JSON, or to send it to a custom destination.

This section covers the API callbacks for said plugin.

27.3.5.1.1.1. Application

A common usage for this output plugin would be, for instance, to send Suricata EVE outputs to a database destination, such as Redis.

For Redis, Jason Ish crafted an example: https://github.com/jasonish/suricata-redis-output

27.3.5.1.1.2. API Callbacks

27.3.5.1.1.2.1. Registering the plugin with Suricata:

Declare a SCPlugin with the Plugin info - name, author, license, and Init function - this last one is where the SCEveFileType plugin struct should be initialized.

src/suricata-plugin.h - SCPlugin
typedef struct SCPlugin_ {
    const char *name;
    const char *license;
    const char *author;
    void (*Init)(void);
} SCPlugin;

SCEveFileType will register output name, as well as all callback functions:

  • name: the name of the output which will be used in the eve filetype field in suricata.yaml to enable this output.

  • Init: called when the output is "opened".

  • Deinit: called the output is "closed".

  • ThreadInit: called to initialize per thread data (if threaded).

  • ThreadDeinit: called to deinitialize per thread data (if threaded).

  • Write: called when an EVE record is to be "written".

src/suricata-plugin.h - SCEveFileType
typedef struct SCEveFileType_ {
    /* The name of the output, used to specify the output in the filetype section
     * of the eve-log configuration. */
    const char *name;
    /* Init Called on first access */
    int (*Init)(ConfNode *conf, bool threaded, void **init_data);
    /* Write - Called on each write to the object */
    int (*Write)(const char *buffer, int buffer_len, void *init_data, void *thread_data);
    /* Close - Called on final close */
    void (*Deinit)(void *init_data);
    /* ThreadInit - Called for each thread using file object*/
    int (*ThreadInit)(void *init_data, int thread_id, void **thread_data);
    /* ThreadDeinit - Called for each thread using file object */
    int (*ThreadDeinit)(void *init_data, void *thread_data);
    TAILQ_ENTRY(SCEveFileType_) entries;
} SCEveFileType;