Suricata

Thanks Zach. Could you submit a pull request? The whole process of contributing is documented here Contributing. Thanks!

Thanks, I will read through the steps for contributing and create the pull request.

Regarding the fix:
Further testing indicated that my fix alleviates the issue of the eve-log syslog parameters not taking effect, however when the 'syslog.enabled: yes' is defined at the same time (for fast-log style alerting to syslog), the identity and facility defined in the 'outputs.eve-log' section are overridden by the identity and facility specified in the 'syslog' section. This is because enabling syslog output for both of these logs causes 2 separate calls to the openlog API, where the identity and facility of the second openlog call overrides the first.

So in other words, the patch results in correct eve-log syslog output when it is the only syslog output enabled, however the facility and identity fields may be incorrect if the syslog (for fast-log alerting) is enabled at the same time with a different facility and identity specified.

Alleviation of the latter issue may require some higher level design changes, some possibilities:
-- (Least effort) Tell user that the identity and facility must be defined the same everywhere in the yaml
-- (A little effort) OR-ing the facility value with the level value in the syslog call – this would allow for different facilities, but not different identities
-- (Substantial effort) changing the yaml format such that the facility and identity are set in only one place and then changing the design such that openlog is only called once
-- Something else?

Regardless, I’ll submit the pull request, and you can decide if you’d like to accept it.