Actions
Bug #3390
closedEve log does not generate pcap_filename when Interacting via unix socket in pcap processing mode
Affected Versions:
Effort:
Difficulty:
Label:
Description
When I using this command "suricata -c xxx.yaml -r xxx.pcap", the output eve-log generates pcap_filname in every line.
But when i using "suricata -c xxx.yaml --unix-socket" and 'suricatasc xxx.socket -c "pcap-file test.pcap /home/pcap/"', the output eve-log does not has "pcap_filename", the log sample is as follows:
{"timestamp":"2019-08-27T10:54:02.199286+0800","flow_id":1803132955396726,"pcap_cnt":1523,"event_type":"dns","src_ip":"10.x.x.x","src_port":64800,"dest_ip":"192.x.x.x","dest_port":53,"proto":"UDP","dns":{"type":"query","id":10166,"rrname":"xxx.com","rrtype":"A","tx_id":0}}
How can I fix this?
Updated by Victor Julien almost 5 years ago
- Description updated (diff)
- Priority changed from High to Normal
Updated by Victor Julien almost 5 years ago
Can you try the following patch?
diff --git a/src/output-json.c b/src/output-json.c
index 925d9664e..53b9441b7 100644
--- a/src/output-json.c
+++ b/src/output-json.c
@@ -1055,7 +1055,8 @@ OutputInitResult OutputJsonInitCtx(ConfNode *conf)
const char *pcapfile_s = ConfNodeLookupChildValue(conf, "pcap-file");
if (pcapfile_s != NULL && ConfValIsTrue(pcapfile_s)) {
json_ctx->file_ctx->is_pcap_offline =
- (RunmodeGetCurrent() == RUNMODE_PCAP_FILE);
+ (RunmodeGetCurrent() == RUNMODE_PCAP_FILE ||
+ RunmodeGetCurrent() == RUNMODE_UNIX_SOCKET);
}
json_ctx->file_ctx->type = json_ctx->json_out;
Updated by Ui X almost 5 years ago
Victor Julien wrote:
Can you try the following patch?
[...]
It works! Thank you.
Updated by Victor Julien almost 5 years ago
- Tracker changed from Support to Bug
- Status changed from New to Assigned
- Assignee set to Victor Julien
- Target version set to 5.0.1
Updated by Victor Julien almost 5 years ago
- Status changed from Assigned to Closed
Actions