Optimization #7185: stats: exceptions: use search-friendly log output - Suricata - Open Information Security Foundation

Actions

Copy link

Optimization #7185

open

stats: exceptions: use search-friendly log output

Added by Juliana Fajardini Reichow 8 months ago. Updated 7 days ago.

Status:

In Review

Priority:

High

Assignee:

Juliana Fajardini Reichow

Target version:

8.0.0-beta1

Effort:

Difficulty:

Label:

Description

Pointed out by Jason: it would be better to have the exception policy stats counters outputted in such a format
that it is easier to search for stats under one key. Example suggestion:

stats: {
  exceptions: {
    tcp: {
      memcap: {
        pass_packet: 111,
      },
    },
  },
}

Instead of what we have:

stats: {
   tcp: {
      ssn_memcap_exception_policy: {
         pass_packet: 0,
         pass_flow: 0,
         bypass: 0,
         drop_packet: 0,
         drop_flow: 1,
         reject: 0
      }, 
   },
}

This suggestion seems to make sense to me, but it's certainly something to be discussed before moving on - to hopefully have something that we are happy
with, and can therefore be backported to 7.0.x (as once we do that, output changes will get more complicated).

Related issues 4 (4 open — 0 closed)

Actions

Copy link

Updated by Juliana Fajardini Reichow 8 months ago

Related to Feature #5816: Exception policy stats counters added

Actions

Copy link

Updated by Juliana Fajardini Reichow 8 months ago

Related to Task #6929: eve/stats: hide zero-values for counters individually added

Actions

Copy link

Updated by Juliana Fajardini Reichow 5 months ago

Related to Feature #6509: Exception policy stats counters (7.0.x backport) added

Actions

Copy link

Updated by Juliana Fajardini Reichow 5 months ago

Related to deleted (Feature #6509: Exception policy stats counters (7.0.x backport))

Actions

Copy link

Updated by Juliana Fajardini Reichow 5 months ago

Blocks Feature #6509: Exception policy stats counters (7.0.x backport) added

Actions

Copy link

Updated by Juliana Fajardini Reichow 28 days ago

Related to Feature #6215: flow/output: log triggered exception policy added

Actions

Copy link

Updated by Juliana Fajardini Reichow 19 days ago

Assignee changed from OISF Dev to Juliana Fajardini Reichow

Actions

Copy link

Updated by Juliana Fajardini Reichow 19 days ago

We have agreed upon the following format:

"stats": {
  "exception_policy": {
    "app_layer": {
      "error": {
        "summary": {
          "pass_packet": 0,
          "pass_flow": 0,
          "bypass": 0,
          "drop_packet": 0,
          "drop_flow": 1,
          "reject": 0
        },
        "http": {
          "pass_packet": 0,
          "pass_flow": 0,
          "bypass": 0,
          "drop_packet": 0,
          "drop_flow": 0,
          "reject": 0
        }
      }
    },
    "defrag": {
      "pass_packet": 0,
      "bypass": 0,
      "drop_packet": 0,
      "reject": 0
    },
    "flow": {
      "memcap": {
        "pass_packet": 0,
        "bypass": 0,
        "drop_packet": 0,
        "reject": 0
      }
    },
    "tcp": {
      "ssn_memcap": {
        "pass_packet": 0,
        "pass_flow": 0,
        "bypass": 0,
        "drop_packet": 0,
        "drop_flow": 0,
        "reject": 0
      },
      "midstream": {
          "pass_flow": 0,
          "bypass": 0,
          "drop_flow": 0,
          "reject": 0
      },
      "reassembly": {
          "pass_packet": 0,
          "pass_flow": 0,
          "bypass": 0,
          "drop_packet": 0,
          "drop_flow": 0,
          "reject": 0
        }
      }
    }
  }
}

Actions

Copy link