Suricata

I would like to propose a feature enhancement to make the eve-log syslog output format compatible with the Lumberjack/CEE format required by the mmjsonparse modification module of rsyslog.

The rsyslog mmjsonparse module requires the JSON portion of the message to be prepended by the “CEE cookie”, the character sequence “@cee:” (http://www.rsyslog.com/doc/mmjsonparse.html)
The mmjsonparse module parses JSON messages into their key-value pairs, allowing for direct access to relevant message fields. This is an alternative approach to relying on “contains” to essentially perform a string search on the JSON string. This is especially helpful when accessing the ‘event_type’ field for the purpose of redirecting JSON output from various event types to different files/locations.

I created the following patch to test this and the results have been positive. I propose adding a line in the eve-log.syslog section of the yaml file (line range 99-101) that is called “lumberjack-cee-format: yes/no”, which will be evaluated in an if/else block that will enclose the patched area below.

--- suricata-2.1beta3/src/output-json.c 2015-01-29 15:52:53.000000000 0000
++ suricata-2.1beta3/src/output-json-lumberjack.c 2015-04-20 15:46:29.973693576 +0000
@ -346,7 +346,7 @

SCMutexLock(&file_ctx->fp_mutex);
     if (json_out  ALERT_SYSLOG) {
-        syslog(alert_syslog_level, "%s", js_s);
+        syslog(alert_syslog_level, "%s%s", "@cee: ", js_s);
     } else if (json_out  ALERT_FILE || json_out  ALERT_UNIX_DGRAM || json_out  ALERT_UNIX_STREAM) {
         MemBufferWriteString(buffer, "%s\n", js_s);
         file_ctx->Write((const char *)MEMBUFFER_BUFFER(buffer),

I am willing to perform the development for this enhancement if there are no objections or additional feedback.