Feature #4853
openeve: Add information about Suricata version
Description
Having that information on the eve log could be useful when trying to offer support,
since that file is the one folks often share, when some behavior is not as expected.
We could then skip asking that, if that info was already available.
Victor suggests that a way of achieving that would be to enable suricata.log by default and add that info to eve.json
It has also been discussed the possibility of adding a first record to the logs that would contain some of this type of info in a special record type
Updated by Victor Julien almost 3 years ago
- Subject changed from Add information about Suricata version to eve-log to eve: Add information about Suricata version
Updated by Jason Ish almost 3 years ago
Adding a record on startup would be great, and I know this topic has come up before. However, its more useful in a log aggregation system, unfortunately it won't help us with asking people to provide the version, as they're more likely to include the log records of interest, which will not be the first one. So I think the issues should be considered separately.
One option I see is adding the Suricata version to the stats log, since we often ask for that. This almost eliminates the need for a startup record. A stats record with the Suricata version and the uptime (already existing) gives us almost the same info. However I suppose a startup message could include more information like interface, mode, command line parameters of note.
Or just simply adding the Suricata version to the eve record itself..
{
"timestamp": "2021-07-28T16:03:38.471697-0600",
"version": "6.0.4",
"flow_id": 422765781370987,
...
}
its pretty small in size compared to a full eve record.
Updated by Juliana Fajardini Reichow almost 2 years ago
- Target version changed from TBD to 8.0.0-beta1
Updated by Victor Julien 12 months ago
It was suggested in Suricon 2023 that this would be per record and optional.
Updated by Victor Julien 12 months ago
- Related to Task #6443: Suricon 2023 brainstorm added
Updated by Jason Ish 12 months ago
I wonder if each eve record should be tagged with the Suricata version?
Over in DNS land we are version DNS eve records. We are currently at version 2, with no support for version 1 anymore. For 8.0 we are looking at some breaking changes that would make it a version 3..
Or do we just add the Surcata version and that's what could be use to determine the format for the record type. The advantage of version EVE DNS records individually is that you could opt-in to the older version for just DNS, but I'm not a big fan of more toggles.
Updated by Juliana Fajardini Reichow 12 months ago
I think that for our purposes - support - and for users, having it per eve record might make more sense.
Would it make sense to have it optional for other fields, but mandatory for stats?
Updated by Juliana Fajardini Reichow 12 months ago
Considering that we'll soon have three current versions of Suricata people could be running (8, 7 and 6), I think this task becomes even more useful. Thoughts?
Strongly related: will we backport it?
Updated by Victor Julien 9 months ago
- Related to Task #2167: tracking: eve enhancements added
Updated by Victor Julien 4 months ago
- Assignee changed from Juliana Fajardini Reichow to OISF Dev
Updated by Philippe Antoine about 2 months ago
- Status changed from Assigned to New