Add Feature #1454. Generic eve-log prefix support.

10 years ago · 0edf28a4f8
parent a083513c49
commit 0edf28a4f8
2 changed files with 33 additions and 4 deletions
--- a/src/output-json.c
+++ b/src/output-json.c
@ -341,13 +341,29 @@ int OutputJSONBuffer(json_t *js, LogFileCtx *file_ctx, MemBuffer *buffer)
        return TM_ECODE_OK;

    SCMutexLock(&file_ctx->fp_mutex);
-    if (file_ctx->type == LOGFILE_TYPE_SYSLOG) {
-        syslog(alert_syslog_level, "%s", js_s);
-    } else if (file_ctx->type == LOGFILE_TYPE_FILE ||
+    if (file_ctx->type == LOGFILE_TYPE_SYSLOG)
+    {
+        if (file_ctx->prefix != NULL)
+        {
+            syslog(alert_syslog_level, "%s%s", file_ctx->prefix, js_s);
+        }
+        else
+        {
+            syslog(alert_syslog_level, "%s", js_s);
+        }
+    }
+    else if (file_ctx->type == LOGFILE_TYPE_FILE ||
               file_ctx->type == LOGFILE_TYPE_UNIX_DGRAM ||
               file_ctx->type == LOGFILE_TYPE_UNIX_STREAM)
    {
-        MemBufferWriteString(buffer, "%s\n", js_s);
+        if (file_ctx->prefix != NULL)
+        {
+            MemBufferWriteString(buffer, "%s%s\n", file_ctx->prefix, js_s);
+        }
+        else
+        {
+            MemBufferWriteString(buffer, "%s\n", js_s);
+        }
        file_ctx->Write((const char *)MEMBUFFER_BUFFER(buffer),
            MEMBUFFER_OFFSET(buffer), file_ctx);
    }
@ -456,6 +472,18 @@ OutputCtx *OutputJsonInitCtx(ConfNode *conf)
            }
        }

+        const char *prefix = ConfNodeLookupChildValue(conf, "prefix");
+        if (prefix != NULL)
+        {
+            json_ctx->file_ctx->prefix = SCStrdup(prefix);
+            if (json_ctx->file_ctx->prefix == NULL)
+            {
+                SCLogError(SC_ERR_MEM_ALLOC,
+                    "Failed to allocate memory for eve-log.prefix setting.");
+                exit(EXIT_FAILURE);
+            }
+        }
+
        if (json_ctx->json_out == LOGFILE_TYPE_FILE ||
            json_ctx->json_out == LOGFILE_TYPE_UNIX_DGRAM ||
            json_ctx->json_out == LOGFILE_TYPE_UNIX_STREAM)
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@ -94,6 +94,7 @@ outputs:
      enabled: yes
      filetype: regular #regular|syslog|unix_dgram|unix_stream
      filename: eve.json
+      #prefix: "@cee: " # prefix to prepend to each log entry
      # the following are valid when type: syslog above
      #identity: "suricata"
      #facility: local5