Project

General

Profile

Actions

Feature #118

closed

Support of PostgreSQL database logging

Added by Andrew A. Usenok over 14 years ago. Updated over 13 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Effort:
Difficulty:
Label:

Description

I implemented the ability of logging alerts into PostgreSQL database. If anyone is interesting - a patch is attached.
This had to slightly change the definition of the structure named LogFileCtx. In fact, I turned it into an enumeration that contain the appropriate structures for a variety of contexts for output messages (file, database, syslog, etc.).
To make Suricata works with PostgreSQL, you should:
1. ./configure --enable-pgsql && make
2. edit suricata.yaml, specify the hostname and port of the PostgreSQL server, database name and tables, as well as the user name and password to access the database.
Thereafter, necessary for the work table will be created automatically.
Enjoy!


Files

suricata-pgsql.patch (208 KB) suricata-pgsql.patch Andrew A. Usenok, 03/11/2010 11:32 AM
Actions #1

Updated by Victor Julien over 14 years ago

  • Target version changed from 0.8.1 to 0.8.2
Actions #2

Updated by Victor Julien over 14 years ago

Thanks Andrew. Personally when first creating Suricata my intention was to only have fastlog (for debugging) and unified* support, and have barnyard/barnyard2 handle all other connections/output types. Not everyone likes barnyard though and we also included the prelude support (even though it's disabled by default). So I'm a bit torn on including this... anyone else have an opinion on this?

Cheers,
Victor

Actions #3

Updated by Victor Julien over 14 years ago

  • Target version deleted (0.8.2)
Actions #4

Updated by Victor Julien over 14 years ago

  • Status changed from New to Feedback

This patch seems to be missing the important stuff, the alert-psgl-log.[ch] files.

One thing I noted is that it adds copyright claims to each file that is modified, no matter how trivial the change is (even one character changes).

In it's current form this patch is not acceptable for inclusion.

Actions #5

Updated by Andrew A. Usenok over 14 years ago

This patch seems to be missing the important stuff, the alert-psgl-log.[ch] files.

Have you used programs like Kompare or Kdiff3 to view the patch? Look at lines 1776-1778 for alert-pgsql-log.c and 2049-2051 for alert-pgsql-log.h, does not it?
I don't know what the alert-psgl-log.[ch] is.

One thing I noted is that it adds copyright claims to each file that is modified, no matter how trivial the change is (even one character changes).

Have you read the GNU GPL, under which licensed your program?
"5. Conveying Modified Source Versions.
...
a) The work must carry prominent notices stating that you modified it, and giving a relevant date."

In it's current form this patch is not acceptable for inclusion.

Thank you for your opinion.

Actions #6

Updated by Victor Julien over 14 years ago

Weird, kompare doesn't show the alert-pgsql-log.c and alert-pgsql.h files, just a using a normal editor does.

Wrt copyright, not every change you make to code is copyrightable. Many of the changes are nothing more than renaming a variable. I'm pretty sure thats not a copyrightable change in any legal system. Example:

diff -crN 1/src/alert-prelude.h 2/src/alert-prelude.h
  • 1/src/alert-prelude.h 2010-02-19 20:47:52.000000000 +0300
    --- 2/src/alert-prelude.h 2010-03-11 14:45:50.339237253 +0300 *******
  • 1,9 ***
    /
    Copyright (c) 2010 Pierre Chifflier <> */
#ifndef ALERT_PRELUDE_H
#define ALERT_PRELUDE_H
void TmModuleAlertPreludeRegister (void);
! LogFileCtx *AlertPreludeInitCtx(ConfNode *conf);
#endif /* ALERT_PRELUDE_H /
--- 1,10 ----
+ /
Copyright (c) 2010 Andrew A. Usenok &lt;&gt; /
/
Copyright (c) 2010 Pierre Chifflier &lt;&gt; */
#ifndef ALERT_PRELUDE_H
#define ALERT_PRELUDE_H
void TmModuleAlertPreludeRegister (void);
! LogCtx *AlertPreludeInitCtx(ConfNode *conf);
#endif /* ALERT_PRELUDE_H */

The only change here is the rename is from LogFileCtx to LogCtx.

Actions #7

Updated by Andrew A. Usenok over 14 years ago

The main purpose of this - mark files that have changed, regardless of the nature of the changes and their quantity.
In general, it is a minor point, you can always remove them, but the GPL insists on their presence.

Actions #8

Updated by Victor Julien over 14 years ago

The issue is kind of academic anyway, as the codebase has moved on quite a bit since this patch. We have already moved from the LogFileCtx to a more general OutputCtx that is more suitable for non-file based logging modules like the one you wrote. If you're interested, please update your patch to our current git master.

If you'd like the updated patch to be included in our codebase I have to ask you to sign our contributors agreement, found here: http://www.openinfosecfoundation.org/index.php/contributors . In short, it assigns the copyright to the (non-profit) foundation, but naturally you get the credits!

Actions #9

Updated by Victor Julien over 13 years ago

  • Due date deleted (03/11/2010)
  • Status changed from Feedback to Closed
  • % Done changed from 100 to 0

Original contributer/submitter isn't responding. Code is not usable in it's current form. Closing.

Actions

Also available in: Atom PDF