server: Add support for reading eve-log through unix socket file #336
Conversation
There was a problem hiding this comment.
Pull Request Overview
Adds support for reading Suricata’s EVE JSON log over a Unix stream socket by introducing a new EveReaderSocket implementation and wiring socket inputs through the server and agent pipelines.
- Factor EveReader into a trait with file- and socket-based implementations
- Extend CLI (
main.rs,agent.rs,oneshot.rs) and watcher to acceptinput.sockets - Update
Processorand exports to be generic over anyEveReader
Reviewed Changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| src/server/main.rs | Add get_input_sockets and include sockets in input |
| src/eve/watcher.rs | Track and spawn socket-based readers |
| src/eve/reader.rs | Define EveReaderSocket and refactor EveReader |
| src/eve/processor.rs | Make Processor generic over the EveReader trait |
| src/eve/mod.rs | Export new reader types |
| src/cli/oneshot.rs | Use EveReaderFile instead of the old struct |
| src/cli/agent.rs | Add socket runner and get_eve_sockets |
| examples/evebox.yaml | Document input.sockets option in server example |
| examples/agent.yaml | Document input.sockets option in agent example |
Comments suppressed due to low confidence (3)
src/server/main.rs:186
- The error message only mentions "paths" but now also checks sockets; consider updating it to something like "no paths or sockets provided".
bail!("EVE input enabled, but no paths provided");
src/eve/watcher.rs:18
- [nitpick] The field
filenamesis also used to track socket paths; consider renaming it to something likeseen_pathsorsourcesfor clarity.
filenames: HashSet<PathBuf>,
src/eve/reader.rs:13
- This import isn’t used anywhere; it can be removed to keep dependencies minimal.
use std::os::unix::fs::FileTypeExt;
| Ok(eve_filenames) | ||
| } | ||
|
|
||
| fn get_eve_sockets(config: &Config) -> anyhow::Result<Vec<String>> { |
There was a problem hiding this comment.
[nitpick] Logic for reading sockets is duplicated from server; consider extracting a shared utility function to avoid code duplication.
src/eve/reader.rs
Outdated
| self.reader = Some(BufReader::new(socket)); | ||
| Ok(()) | ||
| } else { | ||
| panic!("UnixListener has not been created!"); |
There was a problem hiding this comment.
Panicking on a missing listener may crash the server; return a EveReaderError instead to handle the error gracefully.
|
|
||
| use crate::config::Config; | ||
| use crate::eve; | ||
| use crate::eve::EveReader; |
There was a problem hiding this comment.
The EveReader trait import is unused in this file; consider removing it.
| use crate::eve::EveReader; |
|
Thanks. Don't jump on any of the copilot stuff yet. I just find it useful for insight before looking in. Seems like a useful feature, will look more closely in the following days. |
Great. Is this a feature you would actually use? I think it does make sense to have it. Some low hanging items to address first:
While I don't think it makes sense to test/implement this on windows, you an also make sure you are clippy clean on windows. Cross (https://github.com/cross-rs/cross) can check this for you: (Don't worry too much about this) I should CI jobs for the above, but don't yet. Might be a bit before I can actually try this out though. |
tumist
force-pushed
the
unix_stream
branch
2 times, most recently
from
810acc5 to
423a972
Compare
It's hardly essential feature, but it is useful if one would like to save on disk space and IO operations on the suricata machine.
Clippy and cargo fmt changes have been amended to the pull request commit.
Done. Although unix sockets are available in windows, I don't know if suricata supports it and rusts' standard library functions are tagged unix only. Regarding the |
clippy clean on unix and windows cargo fmt changes applied
2 participants
This change makes it possible to use Suricata's unix_stream output for the eve log. Suricata acts as the client and does not create a socket file, so EveBox takes on the server role of creating a socket file in
EveReader::openand then accepting a connection, if not already established, inEveReader::next_record().It has only been tested on linux with sqlite backend, not elasticsearch.
The code change overview is:
I am just starting to learn rust and any advice on using the language or how you would like to see this feature implemented differently is very welcome. For one, it is ugly to see the EveReader trait specify seeking functions that are only used for bookmarks when it cannot apply to sockets.