Suricata

Adding a record on startup would be great, and I know this topic has come up before. However, its more useful in a log aggregation system, unfortunately it won't help us with asking people to provide the version, as they're more likely to include the log records of interest, which will not be the first one. So I think the issues should be considered separately.

One option I see is adding the Suricata version to the stats log, since we often ask for that. This almost eliminates the need for a startup record. A stats record with the Suricata version and the uptime (already existing) gives us almost the same info. However I suppose a startup message could include more information like interface, mode, command line parameters of note.

Or just simply adding the Suricata version to the eve record itself..

{
    "timestamp": "2021-07-28T16:03:38.471697-0600",
    "version": "6.0.4",
    "flow_id": 422765781370987,
    ...
}

its pretty small in size compared to a full eve record.

It was suggested in Suricon 2023 that this would be per record and optional.

I wonder if each eve record should be tagged with the Suricata version?

Over in DNS land we are version DNS eve records. We are currently at version 2, with no support for version 1 anymore. For 8.0 we are looking at some breaking changes that would make it a version 3..

Or do we just add the Surcata version and that's what could be use to determine the format for the record type. The advantage of version EVE DNS records individually is that you could opt-in to the older version for just DNS, but I'm not a big fan of more toggles.

I think that for our purposes - support - and for users, having it per eve record might make more sense.

Would it make sense to have it optional for other fields, but mandatory for stats?

Considering that we'll soon have three current versions of Suricata people could be running (8, 7 and 6), I think this task becomes even more useful. Thoughts?
Strongly related: will we backport it?