Feature #4853
openeve: Add information about Suricata version
Description
Having that information on the eve log could be useful when trying to offer support,
since that file is the one folks often share, when some behavior is not as expected.
We could then skip asking that, if that info was already available.
Victor suggests that a way of achieving that would be to enable suricata.log by default and add that info to eve.json
It has also been discussed the possibility of adding a first record to the logs that would contain some of this type of info in a special record type
Updated by Victor Julien almost 2 years ago
- Subject changed from Add information about Suricata version to eve-log to eve: Add information about Suricata version
Updated by Jason Ish almost 2 years ago
Adding a record on startup would be great, and I know this topic has come up before. However, its more useful in a log aggregation system, unfortunately it won't help us with asking people to provide the version, as they're more likely to include the log records of interest, which will not be the first one. So I think the issues should be considered separately.
One option I see is adding the Suricata version to the stats log, since we often ask for that. This almost eliminates the need for a startup record. A stats record with the Suricata version and the uptime (already existing) gives us almost the same info. However I suppose a startup message could include more information like interface, mode, command line parameters of note.
Or just simply adding the Suricata version to the eve record itself..
{
"timestamp": "2021-07-28T16:03:38.471697-0600",
"version": "6.0.4",
"flow_id": 422765781370987,
...
}
its pretty small in size compared to a full eve record.
Updated by Juliana Fajardini Reichow 10 months ago
- Target version changed from TBD to 8.0.0-beta1