Documentation #2699
opendocument all eve record types and fields
Description
For each document type, document fields and their types. Add examples.
It's probably best to add specific tickets for each of the record types.
Updated by Victor Julien over 4 years ago
- Assignee set to Robert Haist
- Target version set to TBD
Updated by Victor Julien over 4 years ago
- Related to Task #2685: SuriCon 2018 brainstorm added
Updated by Victor Julien over 4 years ago
- Related to Documentation #2620: Documentation: tagged_packets / event_type packet added
Updated by Robert Haist over 4 years ago
- Effort set to medium
Working on it over at Github: https://github.com/rhaist/suricata-json-schema
Will probably take some time until we have a fully reproducible build but you can expect a preview soon.
Updated by Victor Julien over 4 years ago
Maybe I'm misunderstanding the purpose of the schema, but the goal of this ticket is to get the userguide updated so that all missing EVE fields are documented.
The JSON schema ticket is #1369
Updated by Jason Ish almost 4 years ago
Victor Julien wrote:
Maybe I'm misunderstanding the purpose of the schema, but the goal of this ticket is to get the userguide updated so that all missing EVE fields are documented.
The JSON schema ticket is #1369
I think the 2 are tightly related.
I had started to look at this again, more about how it should look to the end user. I played with using tables in Sphinx, but I don't find that scales well, especially if you want to reformat. When I jumped back to my JSON schema stuff, it is kind of ugly and I'm not sure if it can be used to generate suitable doc for the userguide. So my last attempt is just some custom YAML that I thought I might generate into Sphinx tables. Still not sure if that is a good idea though, given that JSON schema exists.
Ideally there should be one source of truth. If we still feel that JSON schema is suitable for QA testing, maybe that should be it. We could probably do some intermediate processing of it, and perhaps adding extra fields to provide context in end-user doc. By context I mean stuff like: "vlan - only present when the alerting packet has a vlan header".
Updated by Andreas Herz over 3 years ago
- Assignee changed from Robert Haist to Sascha Steinbiss
Updated by Andreas Herz over 3 years ago
- Tracker changed from Feature to Documentation
Updated by Philippe Antoine 7 months ago
@Sascha Steinbiss is this done through the json schema ?
Updated by Sascha Steinbiss 7 months ago
Good question. The generic documentation (as in: RTD pages) is not there yet, but from my point of view the JSON schema is OK. (Is etc/schema.json based on our 2019 stuff BTW or separately generated?)
Updated by Philippe Antoine 5 months ago
Good question. The generic documentation (as in: RTD pages) is not there yet, but from my point of view the JSON schema is OK. (Is
etc/schema.jsonbased on our 2019 stuff BTW or separately generated?)
I do not know your 2019 stuff.etc/schema.json was generated with combining the outputs of suricata-verify tests (and then manual additions over time)
Updated by Philippe Antoine 5 months ago
- Related to Documentation #5359: userguide: improve documentation on (main) EVE fields added
Updated by Jason Ish 5 months ago
I've been working on a script to generate output from the schema.. Rough example here: https://gist.github.com/jasonish/fc04da8a5586954f78e1857fe3ae0203.
I'm thinking the next step would be a rather simple, but large `.rst` rendering as an appending in the docs with predictable anchors so one can link to the relevant section by protocol name, etc.