From: Zachary Rasmor <zachary.r.rasmor@lmco.com>
Date: Wed, 3 Jun 2015 15:59:06 +0000 (-0400)
Subject: Add Feature #1454. Generic eve-log prefix support.
X-Git-Tag: suricata-3.0RC1~328
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=0edf28a4f80b47c53dd09a4c1344dcf2311c40ae;p=thirdparty%2Fsuricata.git

Add Feature #1454. Generic eve-log prefix support.
---

diff --git a/src/output-json.c b/src/output-json.c
index e77dd6846a..4dea72c861 100644
--- a/src/output-json.c
+++ b/src/output-json.c
@@ -341,13 +341,29 @@ int OutputJSONBuffer(json_t *js, LogFileCtx *file_ctx, MemBuffer *buffer)
         return TM_ECODE_OK;
 
     SCMutexLock(&file_ctx->fp_mutex);
-    if (file_ctx->type == LOGFILE_TYPE_SYSLOG) {
-        syslog(alert_syslog_level, "%s", js_s);
-    } else if (file_ctx->type == LOGFILE_TYPE_FILE ||
+    if (file_ctx->type == LOGFILE_TYPE_SYSLOG)
+    {
+        if (file_ctx->prefix != NULL)
+        {
+            syslog(alert_syslog_level, "%s%s", file_ctx->prefix, js_s);
+        }
+        else
+        {
+            syslog(alert_syslog_level, "%s", js_s);
+        }
+    }
+    else if (file_ctx->type == LOGFILE_TYPE_FILE ||
                file_ctx->type == LOGFILE_TYPE_UNIX_DGRAM ||
                file_ctx->type == LOGFILE_TYPE_UNIX_STREAM)
     {
-        MemBufferWriteString(buffer, "%s\n", js_s);
+        if (file_ctx->prefix != NULL)
+        {
+            MemBufferWriteString(buffer, "%s%s\n", file_ctx->prefix, js_s);
+        }
+        else
+        {
+            MemBufferWriteString(buffer, "%s\n", js_s);
+        }
         file_ctx->Write((const char *)MEMBUFFER_BUFFER(buffer),
             MEMBUFFER_OFFSET(buffer), file_ctx);
     }
@@ -456,6 +472,18 @@ OutputCtx *OutputJsonInitCtx(ConfNode *conf)
             }
         }
 
+        const char *prefix = ConfNodeLookupChildValue(conf, "prefix");
+        if (prefix != NULL)
+        {
+            json_ctx->file_ctx->prefix = SCStrdup(prefix);
+            if (json_ctx->file_ctx->prefix == NULL)
+            {
+                SCLogError(SC_ERR_MEM_ALLOC,
+                    "Failed to allocate memory for eve-log.prefix setting.");
+                exit(EXIT_FAILURE);
+            }
+        }
+
         if (json_ctx->json_out == LOGFILE_TYPE_FILE ||
             json_ctx->json_out == LOGFILE_TYPE_UNIX_DGRAM ||
             json_ctx->json_out == LOGFILE_TYPE_UNIX_STREAM)
diff --git a/suricata.yaml.in b/suricata.yaml.in
index 5942494b7e..ce8defb9ab 100644
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -94,6 +94,7 @@ outputs:
       enabled: yes
       filetype: regular #regular|syslog|unix_dgram|unix_stream
       filename: eve.json
+      #prefix: "@cee: " # prefix to prepend to each log entry
       # the following are valid when type: syslog above
       #identity: "suricata"
       #facility: local5