Optimization #7185: exceptions: use search-friendly log output - Suricata - Open Information Security Foundation

Actions

Copy link

Optimization #7185

open

exceptions: use search-friendly log output

Added by Juliana Fajardini Reichow 3 months ago.

Status:

New

Priority:

Normal

Assignee:

OISF Dev

Target version:

8.0.0-beta1

Effort:

Difficulty:

Label:

Description

Pointed out by Jason: it would be better to have the exception policy stats counters outputted in such a format
that it is easier to search for stats under one key. Example suggestion:

stats: {
  exceptions: {
    tcp: {
      memcap: {
        pass_packet: 111,
      },
    },
  },
}

Instead of what we have:

stats: {
   tcp: {
      ssn_memcap_exception_policy: {
         pass_packet: 0,
         pass_flow: 0,
         bypass: 0,
         drop_packet: 0,
         drop_flow: 1,
         reject: 0
      }, 
   },
}

This suggestion seems to make sense to me, but it's certainly something to be discussed before moving on - to hopefully have something that we are happy
with, and can therefore be backported to 7.0.x (as once we do that, output changes will get more complicated).

Related issues 3 (3 open — 0 closed)

Actions

Copy link

Also available in: Atom PDF

Related to Suricata - Feature #5816: Exception policy stats counters	Resolved	Juliana Fajardini Reichow	Actions
Related to Suricata - Task #6929: eve/stats: hide zero-values for counters individually	In Progress	Juliana Fajardini Reichow	Actions
Blocks Suricata - Feature #6509: Exception policy stats counters (7.0.x backport)	In Review	Jeff Lucovsky	Actions

Project

General

Profile

Suricata

Custom queries

Optimization #7185

exceptions: use search-friendly log output

Updated by Juliana Fajardini Reichow 3 months ago

Updated by Juliana Fajardini Reichow 3 months ago

Updated by Juliana Fajardini Reichow 9 days ago

Updated by Juliana Fajardini Reichow 9 days ago

Updated by Juliana Fajardini Reichow 9 days ago