Feature #3636
openeve: configuration options to enable all, none or just a default set of outputs
Description
One issue with upgrading Suricata is that new protocols will not be logged by default as outputs aren't enabled unless they are explicitly added to the types
in the eve-log
configuration section. This is different than the app-layer protocols that usually are enabled by default if not found in the configuration (their are exceptions to this).
It should be easier to enable the default set of outputs without having to list them all and we should use this in our default configuration. This will mean that the recommended by default outputs stays current over upgrades.
The main issue is that YAML (or maybe any configuration format) makes this hard to express.
NOTE: The following is for discussion purposes only at this time.
Magic Keywords¶
Introduce magic type names like:- all
- defaults
(These could be __all
, __defaults
, etc if we're worried about name conflicts.)
Then our default configuration file could look like:
types: - defaults
Which would enable all the outputs except drop
, netflow
, dnp3
, and metadata
as these are not currently enabled in the default configuration. This would also be the default set enabled if the output was missing the types
field.
Then to use the defaults with netflow the following configuration could be used:
types: - defaults - netflow
and if the configuration for an output needed to be modified:
types: - defaults - dns: # Custom options
DNS being explicitly listed with options would override its inclusion as part of defaults
.
Exclusion List¶
If only a few specific outputs are desired its easy to explicitly list them, however its harder to express a configuration with all
or defaults
except specific outputs. To address this an exclude_types
field could be added:
types: - defaults exclude_types: - smb - nfs
[maybe disable_types
is better]
New Default Configuration¶
types: - defaults exclude_types: []
Updated by Jason Ish over 4 years ago
- Priority changed from Normal to Low
- Target version set to 6.0.0beta1
Updated by Jason Ish over 4 years ago
- Related to Feature #1993: commandline: introduce --enable-all-outputs switch added
Updated by Jason Ish over 4 years ago
- Subject changed from eve: optiont to enable all outputs to eve: option to enable all outputs
Updated by Victor Julien over 4 years ago
- Target version changed from 6.0.0beta1 to 7.0.0-beta1
Updated by Victor Julien over 3 years ago
- Assignee set to Juliana Fajardini Reichow
Updated by Juliana Fajardini Reichow over 3 years ago
- Status changed from New to In Progress
Hi,
my interpretation is that this issue is to address the yaml file option, since the related issue would already address cmdline alternative. Is that correct?
Updated by Jason Ish over 3 years ago
Juliana Fajardini Reichow wrote in #note-6:
Hi,
my interpretation is that this issue is to address the yaml file option, since the related issue would already address cmdline alternative. Is that correct?
Thats correct. The end result would be the same I think, just where its set. The command line option is the most useful for now I think.
Updated by Jason Ish about 3 years ago
- Subject changed from eve: option to enable all outputs to eve: configuration options to enable all, none or just a default set of outputs
Updated by Jason Ish about 3 years ago
- Description updated (diff)
- Status changed from In Progress to Assigned
Updated by Jason Ish about 3 years ago
Updated the description to discuss more about the problem and possible solutions.
Updated by Jeff Lucovsky about 3 years ago
In the use case from the description, is the assumption being made that the configuration file from the older Suricata deployment will be maintained?
Each new release, with potentially new protocols to log, would by definition already have those protocols listed under types:
.
If
types: - defaults
is meant to help with updated Suricata versions, but not Suricata config files, I think this could work.
Updated by Jason Ish about 3 years ago
Jeff Lucovsky wrote in #note-12:
In the use case from the description, is the assumption being made that the configuration file from the older Suricata deployment will be maintained?
No real assumptions. We just know that some upgrades occur without a proper conversion of the configuration file as we do our best to keep old configurations working, but this does mean that new protocols that are logged by default, in say 7.0 will never be enabled for the "lazy" upgrade path from 6.0. However, the protocol decoder enabled in this "lazy" upgrade path.
Updated by Victor Julien over 2 years ago
- Target version changed from 7.0.0-beta1 to 8.0.0-beta1
Updated by Jason Ish almost 2 years ago
- Related to Optimization #2321: yaml: clean up usage of lists added
Updated by Victor Julien about 1 year ago
- Related to Feature #4782: config: add command to dump all active settings added
Updated by Juliana Fajardini Reichow 7 months ago
- Related to Feature #7069: config/eve: magic toggle to enable all types added
Updated by Shivani Bhardwaj 7 months ago
- Has duplicate Feature #7069: config/eve: magic toggle to enable all types added
Updated by Shivani Bhardwaj 7 months ago
- Related to deleted (Feature #7069: config/eve: magic toggle to enable all types)
Updated by Victor Julien 6 months ago
- Assignee changed from Juliana Fajardini Reichow to OISF Dev