add exception_policy field to netflow eve records#15342
Closed
add exception_policy field to netflow eve records#15342
Conversation
The flow logger has carried an exception_policy array since policies were added, but the netflow logger never read the same per flow attribute. As a result users could not see which exception triggered or what action was applied when looking at netflow events. We expose the helper that the flow logger already uses and call it from both the toserver and toclient netflow records so the two event types stay aligned.
|
NOTE: This PR may contain new authors. |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #15342 +/- ##
==========================================
- Coverage 82.66% 82.64% -0.03%
==========================================
Files 995 995
Lines 271046 271054 +8
==========================================
- Hits 224069 224014 -55
- Misses 46977 47040 +63
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
victorjulien
requested changes
May 9, 2026
Member
victorjulien
left a comment
victorjulien
left a comment
There was a problem hiding this comment.
Thanks for looking into this.
However, please make sure to follow our contribution guidelines:
https://docs.suricata.io/en/latest/devguide/contributing/index.html
5 tasks
Author
|
Superseded by #15349 which addresses the contribution guideline feedback (subsystem prefixed commit, ticket reference, separate docs commit, branch v2). The verify side test is in OISF/suricata-verify#3075. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Issue #8499 reports that exception_policy shows up under flow events but not under netflow events, even when the same flow triggers a midstream drop. Both loggers consume the same applied_exception_policy state on the flow object, but the helper that formats the array was static to the flow logger so the netflow logger had no way to emit it. This change drops the static qualifier and declares the helper in output-json-flow.h, then calls it from both netflow records so the field shows up in toserver and toclient events. I also updated etc/schema.json to document the new field and verified the fix end to end with a midstream pcap and drop-flow stream policy.