Format of syslog is not RFC Compliant
jjfallete opened this issue · 0 comments
jjfallete commented
Is your feature request related to a problem? Please describe.
Currently, the cb-event-forwarder does not use RFC compliant syslog format (RFC 3164 or RFC 5424). As a result, syslog servers do not properly parse the hostname identifier without manual intervention, some fall back to using the sending IP address to identify the source.
Here is an example of an event sent from the cb-event-forwarder:
<6> 2024-01-25T12:00:00-04:00 CBSERVER /usr/share/cb/integrations/event-forwarder/cb-event-forwarder[10000]: LEEF:1.0|CB|CB|5.1|ingress.event.process|cb_server=CBSERVER command_line=...
If this was RFC format compliant, we'd see either:
//RFC 3164
<6>1 2024-01-25T12:00:00-04:00 CBSERVER /usr/share/cb/integrations/event-forwarder/cb-event-forwarder 10000 LEEF:1.0|CB|CB|5.1|ingress.event.process|cb_server=CBSERVER command_line=...
//RFC 5424
<6>Jan 25 12:00:00 CBSERVER LEEF:1.0|CB|CB|5.1|ingress.event.process|cb_server=CBSERVER command_line=...
Describe the solution you'd like
Update the cb-event-forwarder to be RFC compliant. RFC 3164 may be more desirable as it is most similar to the existing format and is more detailed.
After reviewing the codebase, I believe only a small change is needed to do this...
After this line:
Add:
// Reference from the syslog import source: github.com/RackSec/srslog/blob/master/formatter.go#L35
o.outputSocket.SetFormatter(syslog.RFC3164Formatter) // Alternatively: RFC5424FormatterDescribe alternatives you've considered
N/A
Additional context
N/A