Project

General

Profile

Actions

Feature #1454

closed

Proposal to add Lumberjack/CEE formatting option to EVE JSON syslog output for compatibility with rsyslog parsing

Added by Zach Rasmor over 9 years ago. Updated over 9 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

I would like to propose a feature enhancement to make the eve-log syslog output format compatible with the Lumberjack/CEE format required by the mmjsonparse modification module of rsyslog.

The rsyslog mmjsonparse module requires the JSON portion of the message to be prepended by the “CEE cookie”, the character sequence “@cee:” (http://www.rsyslog.com/doc/mmjsonparse.html)
The mmjsonparse module parses JSON messages into their key-value pairs, allowing for direct access to relevant message fields. This is an alternative approach to relying on “contains” to essentially perform a string search on the JSON string. This is especially helpful when accessing the ‘event_type’ field for the purpose of redirecting JSON output from various event types to different files/locations.

I created the following patch to test this and the results have been positive. I propose adding a line in the eve-log.syslog section of the yaml file (line range 99-101) that is called “lumberjack-cee-format: yes/no”, which will be evaluated in an if/else block that will enclose the patched area below.

--- suricata-2.1beta3/src/output-json.c 2015-01-29 15:52:53.000000000 0000
++ suricata-2.1beta3/src/output-json-lumberjack.c 2015-04-20 15:46:29.973693576 +0000
@ -346,7 +346,7 @

SCMutexLock(&file_ctx->fp_mutex);
if (json_out ALERT_SYSLOG) {
- syslog(alert_syslog_level, "%s", js_s);
+ syslog(alert_syslog_level, "%s%s", "@cee: ", js_s);
} else if (json_out ALERT_FILE || json_out ALERT_UNIX_DGRAM || json_out ALERT_UNIX_STREAM) {
MemBufferWriteString(buffer, "%s\n", js_s);
file_ctx->Write((const char *)MEMBUFFER_BUFFER(buffer),

I am willing to perform the development for this enhancement if there are no objections or additional feedback.


Related issues 1 (0 open1 closed)

Related to Suricata - Bug #1602: eve-log prefix field feature brokenClosedEric Leblond11/25/2015Actions
Actions

Also available in: Atom PDF