Add Feature #1454. Generic eve-log prefix support.

author Zachary Rasmor <zachary.r.rasmor@lmco.com>

Wed, 3 Jun 2015 15:59:06 +0000 (11:59 -0400)

committer Victor Julien <victor@inliniac.net>

Wed, 10 Jun 2015 10:38:44 +0000 (12:38 +0200)
author Zachary Rasmor <zachary.r.rasmor@lmco.com>
Wed, 3 Jun 2015 15:59:06 +0000 (11:59 -0400)
committer Victor Julien <victor@inliniac.net>
Wed, 10 Jun 2015 10:38:44 +0000 (12:38 +0200)
diff --git a/src/output-json.c b/src/output-json.c

index e77dd6846a7133f1e2b6c347b35d0b35c2ac0158..4dea72c8618f81d551c58004f335c4e687608bfb 100644 (file)
--- a/src/output-json.c
+++ b/src/output-json.c
@@ -341,13 +341,29 @@ int OutputJSONBuffer(json_t *js, LogFileCtx *file_ctx, MemBuffer *buffer)
          return TM_ECODE_OK;
  
      SCMutexLock(&file_ctx->fp_mutex);
-    if (file_ctx->type == LOGFILE_TYPE_SYSLOG) {
-        syslog(alert_syslog_level, "%s", js_s);
-    } else if (file_ctx->type == LOGFILE_TYPE_FILE ||
+    if (file_ctx->type == LOGFILE_TYPE_SYSLOG)
+    {
+        if (file_ctx->prefix != NULL)
+        {
+            syslog(alert_syslog_level, "%s%s", file_ctx->prefix, js_s);
+        }
+        else
+        {
+            syslog(alert_syslog_level, "%s", js_s);
+        }
+    }
+    else if (file_ctx->type == LOGFILE_TYPE_FILE ||
                 file_ctx->type == LOGFILE_TYPE_UNIX_DGRAM ||
                 file_ctx->type == LOGFILE_TYPE_UNIX_STREAM)
      {
-        MemBufferWriteString(buffer, "%s\n", js_s);
+        if (file_ctx->prefix != NULL)
+        {
+            MemBufferWriteString(buffer, "%s%s\n", file_ctx->prefix, js_s);
+        }
+        else
+        {
+            MemBufferWriteString(buffer, "%s\n", js_s);
+        }
          file_ctx->Write((const char *)MEMBUFFER_BUFFER(buffer),
              MEMBUFFER_OFFSET(buffer), file_ctx);
      }
@@ -456,6 +472,18 @@ OutputCtx *OutputJsonInitCtx(ConfNode *conf)
              }
          }
  
+        const char *prefix = ConfNodeLookupChildValue(conf, "prefix");
+        if (prefix != NULL)
+        {
+            json_ctx->file_ctx->prefix = SCStrdup(prefix);
+            if (json_ctx->file_ctx->prefix == NULL)
+            {
+                SCLogError(SC_ERR_MEM_ALLOC,
+                    "Failed to allocate memory for eve-log.prefix setting.");
+                exit(EXIT_FAILURE);
+            }
+        }
+
          if (json_ctx->json_out == LOGFILE_TYPE_FILE ||
              json_ctx->json_out == LOGFILE_TYPE_UNIX_DGRAM ||
              json_ctx->json_out == LOGFILE_TYPE_UNIX_STREAM)
diff --git a/suricata.yaml.in b/suricata.yaml.in

index 5942494b7ea407e0e7ca82ed6423b987498dbffc..ce8defb9abdbe803702fc1771a124ce44aae0890 100644 (file)
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -94,6 +94,7 @@ outputs:
        enabled: yes
        filetype: regular #regular|syslog|unix_dgram|unix_stream
        filename: eve.json
+      #prefix: "@cee: " # prefix to prepend to each log entry
        # the following are valid when type: syslog above
        #identity: "suricata"
        #facility: local5
author	Zachary Rasmor <zachary.r.rasmor@lmco.com>
	Wed, 3 Jun 2015 15:59:06 +0000 (11:59 -0400)
committer	Victor Julien <victor@inliniac.net>
	Wed, 10 Jun 2015 10:38:44 +0000 (12:38 +0200)
src/output-json.c		patch \| blob \| blame \| history
suricata.yaml.in		patch \| blob \| blame \| history