https://redmine.openinfosecfoundation.org/https://redmine.openinfosecfoundation.org/favicon.ico?17011170022013-03-12T04:06:59ZOpen Information Security FoundationSuricata - Feature #772: JSON output for alertshttps://redmine.openinfosecfoundation.org/issues/772?journal_id=28812013-03-12T04:06:59ZVictor Julienvictor@inliniac.net
<ul></ul><p>From oisf-users:</p>
<blockquote>
<p>FYI, take a look at yajl lib for JSON if your looking for a lib.<br />Seems pretty nice and very light. We are using it in ironbee now.</p>
<p><a class="external" href="http://lloyd.github.com/yajl/">http://lloyd.github.com/yajl/</a></p>
</blockquote> Suricata - Feature #772: JSON output for alertshttps://redmine.openinfosecfoundation.org/issues/772?journal_id=29022013-03-15T05:39:28ZVictor Julienvictor@inliniac.net
<ul></ul><blockquote><blockquote><blockquote><blockquote>
<p>We already use libjansson for the unix socket protocol, so using this<br />would require some refactoring. Do you think this yajl will bring big<br />benefits over libjansson?</p>
</blockquote>
<p>Depends on what you use it for. Yajl allows for stream based parsing<br />directly into your own structures. No need to parse everything into a<br />tree of nodes and then read through that. So, I think yajl is more<br />efficiently using resources, but at the cost of some extra code<br />complexity sue to having to write callbacks for each node type. We<br />needed the streaming parser for potentially large json structures coming<br />in chunks. Yajl is nice, but I think libjannson is as well. They just<br />solve different needs. For instance you could build libjannson on top of<br />yajl.</p>
</blockquote>
<p>The only performance critical use we have is generating JSON records,<br />not parsing them. The unix socket code that parses JSON records is async<br />and we expect low volume. Otherwise we will be using it to generate<br />output based on alerts, events. So on the output side it is critical<br />that it's fast.</p>
</blockquote>
<p>If libjannson forces you to build a full in-memory json tree, then<br />traverse the tree again to write it out, then yajl may be more<br />performant as yajl can stream this to the output.</p>
</blockquote> Suricata - Feature #772: JSON output for alertshttps://redmine.openinfosecfoundation.org/issues/772?journal_id=29032013-03-15T05:39:48ZVictor Julienvictor@inliniac.net
<ul><li><strong>Assignee</strong> set to <i>Eric Leblond</i></li></ul> Suricata - Feature #772: JSON output for alertshttps://redmine.openinfosecfoundation.org/issues/772?journal_id=35912013-10-26T10:21:16ZVictor Julienvictor@inliniac.net
<ul><li><strong>Target version</strong> set to <i>TBD</i></li></ul> Suricata - Feature #772: JSON output for alertshttps://redmine.openinfosecfoundation.org/issues/772?journal_id=38132013-11-28T04:11:51ZVictor Julienvictor@inliniac.net
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Assigned</i></li><li><strong>Assignee</strong> changed from <i>Eric Leblond</i> to <i>Tom DeCanio</i></li><li><strong>Target version</strong> changed from <i>TBD</i> to <i>2.0beta2</i></li><li><strong>Parent task</strong> set to <i>#1007</i></li></ul> Suricata - Feature #772: JSON output for alertshttps://redmine.openinfosecfoundation.org/issues/772?journal_id=39032013-12-12T10:26:35ZVictor Julienvictor@inliniac.net
<ul><li><strong>Target version</strong> changed from <i>2.0beta2</i> to <i>2.0rc1</i></li></ul> Suricata - Feature #772: JSON output for alertshttps://redmine.openinfosecfoundation.org/issues/772?journal_id=39812014-01-31T02:13:50ZVictor Julienvictor@inliniac.net
<ul><li><strong>Status</strong> changed from <i>Assigned</i> to <i>Closed</i></li></ul><p>Merged through <a class="external" href="https://github.com/inliniac/suricata/pull/807">https://github.com/inliniac/suricata/pull/807</a></p>