document all eve record types and fields
For each document type, document fields and their types. Add examples.
It's probably best to add specific tickets for each of the record types.
Updated by Jason Ish over 4 years ago
Victor Julien wrote:
Maybe I'm misunderstanding the purpose of the schema, but the goal of this ticket is to get the userguide updated so that all missing EVE fields are documented.
The JSON schema ticket is #1369
I think the 2 are tightly related.
I had started to look at this again, more about how it should look to the end user. I played with using tables in Sphinx, but I don't find that scales well, especially if you want to reformat. When I jumped back to my JSON schema stuff, it is kind of ugly and I'm not sure if it can be used to generate suitable doc for the userguide. So my last attempt is just some custom YAML that I thought I might generate into Sphinx tables. Still not sure if that is a good idea though, given that JSON schema exists.
Ideally there should be one source of truth. If we still feel that JSON schema is suitable for QA testing, maybe that should be it. We could probably do some intermediate processing of it, and perhaps adding extra fields to provide context in end-user doc. By context I mean stuff like: "vlan - only present when the alerting packet has a vlan header".
Updated by Philippe Antoine about 1 year ago
Good question. The generic documentation (as in: RTD pages) is not there yet, but from my point of view the JSON schema is OK. (Is
etc/schema.jsonbased on our 2019 stuff BTW or separately generated?)
I do not know your 2019 stuff.
etc/schema.json was generated with combining the outputs of suricata-verify tests (and then manual additions over time)
Updated by Jason Ish about 1 year ago
I've been working on a script to generate output from the schema.. Rough example here: https://gist.github.com/jasonish/fc04da8a5586954f78e1857fe3ae0203.
I'm thinking the next step would be a rather simple, but large `.rst` rendering as an appending in the docs with predictable anchors so one can link to the relevant section by protocol name, etc.
Updated by Sascha Steinbiss 3 months ago
My feeling is BTW that the stuff we did for Suricon 2019 is probably obsolete:
- There now is an official JSON schema maintained by the project itself, which is also used in tests to ensure it stays up-to-date. Much better than trying to establish one from the outside :)
- Our hacky documentation generation script indeed creates a tree of Sphinx documentation for RTD (see attachments), but it's pretty closely tied to our project and its result tree structure. Also, I'm not sure about predictable anchors; our script creates individual pages (https://github.com/satta/suricata-json-schema/blob/master/schematize.py).
Do we even want to keep this open?