Feature #4853: eve: Add information about Suricata version - Suricata - Open Information Security Foundation

Custom queries

8.0.0 Stories
Good First Issues
OISF community

Actions

Copy link

Feature #4853

open

eve: Add information about Suricata version

Added by Juliana Fajardini Reichow almost 3 years ago. Updated about 2 months ago.

Status:

New

Priority:

Normal

Assignee:

OISF Dev

Target version:

8.0.0-beta1

Effort:

Difficulty:

Label:

Description

Having that information on the eve log could be useful when trying to offer support,
since that file is the one folks often share, when some behavior is not as expected.

We could then skip asking that, if that info was already available.

Victor suggests that a way of achieving that would be to enable suricata.log by default and add that info to eve.json

It has also been discussed the possibility of adding a first record to the logs that would contain some of this type of info in a special record type

Related issues 2 (2 open — 0 closed)

	Related to Suricata - Task #6443: Suricon 2023 brainstorm	Assigned	Victor Julien				Actions
	Related to Suricata - Task #2167: tracking: eve enhancements	New	OISF Dev				Actions

Issue # Delay: days Cancel

History
Notes
Property changes

Actions

Copy link

Updated by Victor Julien almost 3 years ago

Subject changed from Add information about Suricata version to eve-log to eve: Add information about Suricata version

Actions

Copy link

Updated by Jason Ish almost 3 years ago

Adding a record on startup would be great, and I know this topic has come up before. However, its more useful in a log aggregation system, unfortunately it won't help us with asking people to provide the version, as they're more likely to include the log records of interest, which will not be the first one. So I think the issues should be considered separately.

One option I see is adding the Suricata version to the stats log, since we often ask for that. This almost eliminates the need for a startup record. A stats record with the Suricata version and the uptime (already existing) gives us almost the same info. However I suppose a startup message could include more information like interface, mode, command line parameters of note.

Or just simply adding the Suricata version to the eve record itself..

{
    "timestamp": "2021-07-28T16:03:38.471697-0600",
    "version": "6.0.4",
    "flow_id": 422765781370987,
    ...
}

its pretty small in size compared to a full eve record.

Actions

Copy link

Updated by Juliana Fajardini Reichow almost 2 years ago

Target version changed from TBD to 8.0.0-beta1

Actions

Copy link

Updated by Victor Julien 12 months ago

It was suggested in Suricon 2023 that this would be per record and optional.

Actions

Copy link

Updated by Victor Julien 12 months ago

Related to Task #6443: Suricon 2023 brainstorm added

Actions

Copy link

Updated by Jason Ish 12 months ago

I wonder if each eve record should be tagged with the Suricata version?

Over in DNS land we are version DNS eve records. We are currently at version 2, with no support for version 1 anymore. For 8.0 we are looking at some breaking changes that would make it a version 3..

Or do we just add the Surcata version and that's what could be use to determine the format for the record type. The advantage of version EVE DNS records individually is that you could opt-in to the older version for just DNS, but I'm not a big fan of more toggles.

Actions

Copy link

Updated by Juliana Fajardini Reichow 12 months ago

I think that for our purposes - support - and for users, having it per eve record might make more sense.

Would it make sense to have it optional for other fields, but mandatory for stats?

Actions

Copy link

Updated by Juliana Fajardini Reichow 12 months ago

Considering that we'll soon have three current versions of Suricata people could be running (8, 7 and 6), I think this task becomes even more useful. Thoughts?
Strongly related: will we backport it?

Actions

Copy link