From 00b6bcefc48cccaeae6665ce4f37998b2fc806dc Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 14 Feb 2018 20:48:51 +0000
Subject: [PATCH] intrusion detection: straighten syslog output

If enabled, now consistenly log into a clog suricata.log.  Since
the last rework suricata syslog output landed in system.log because
the suricata.syslog.log file was removed, but this one was never
read because syslog.log was not a real log file.
---
 src/etc/inc/plugins.inc.d/suricata.inc                | 11 +++++++++++
 .../service/templates/OPNsense/IDS/newsyslog.conf     |  1 -
 .../service/templates/OPNsense/IDS/suricata.yaml      |  3 ---
 src/www/diag_logs_settings.php                        |  2 +-
 src/www/diag_logs_suricata.php                        |  2 +-
 5 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/src/etc/inc/plugins.inc.d/suricata.inc b/src/etc/inc/plugins.inc.d/suricata.inc
index 5c833dd32..f7c016f8f 100644
--- a/src/etc/inc/plugins.inc.d/suricata.inc
+++ b/src/etc/inc/plugins.inc.d/suricata.inc
@@ -47,6 +47,17 @@ function suricata_services()
     return $services;
 }
 
+function suricata_syslog()
+{
+    $logfacilities = array();
+
+    $logfacilities['suricata'] = array(
+        'facility' => array('suricata'),
+    );
+
+    return $logfacilities;
+}
+
 function suricata_xmlrpc_sync()
 {
     $result = array();
diff --git a/src/opnsense/service/templates/OPNsense/IDS/newsyslog.conf b/src/opnsense/service/templates/OPNsense/IDS/newsyslog.conf
index fc7f9c99b..463726bf2 100644
--- a/src/opnsense/service/templates/OPNsense/IDS/newsyslog.conf
+++ b/src/opnsense/service/templates/OPNsense/IDS/newsyslog.conf
@@ -1,7 +1,6 @@
 # logfilename			[owner:group]	mode	count	size	when	flags	[/pid_file]				[sig_num]
 {% if helpers.exists('OPNsense.IDS.general') and OPNsense.IDS.general.enabled|default("0") == "1" %}
 /var/log/suricata/stats.log	root:wheel	640	7	*	$D0	B	/var/run/suricata.pid	1
-/var/log/suricata.log		root:wheel	640	7	*	$D0	B	/var/run/suricata.pid	1
 /var/log/suricata/eve.json	root:wheel	640	{{ OPNsense.IDS.general.AlertSaveLogs|default("4") }}	500000	${{
     OPNsense.IDS.general.AlertLogrotate|default("W0D23")
 }}	B	/var/run/suricata.pid	1
diff --git a/src/opnsense/service/templates/OPNsense/IDS/suricata.yaml b/src/opnsense/service/templates/OPNsense/IDS/suricata.yaml
index 06519c06a..b52980cdc 100644
--- a/src/opnsense/service/templates/OPNsense/IDS/suricata.yaml
+++ b/src/opnsense/service/templates/OPNsense/IDS/suricata.yaml
@@ -749,9 +749,6 @@ logging:
   outputs:
   - console:
       enabled: no
-  - file:
-      enabled: yes
-      filename: /var/log/suricata.log
   - syslog:
       enabled: {% if helpers.exists('OPNsense.IDS.general.syslog') and OPNsense.IDS.general.syslog|default('0') == '0' %}no{% else %}yes{% endif %}
 
diff --git a/src/www/diag_logs_settings.php b/src/www/diag_logs_settings.php
index dd2a652b2..f9b6e649d 100644
--- a/src/www/diag_logs_settings.php
+++ b/src/www/diag_logs_settings.php
@@ -56,6 +56,7 @@ function clear_all_log_files()
         'relayd',
         'resolver',
         'routing',
+        'suricata',
         'system',
         'vpn',
         'wireless',
@@ -65,7 +66,6 @@ function clear_all_log_files()
         'squid/access',
         'squid/cache',
         'squid/store',
-        'suricata',
     );
 
     foreach ($clog_files as $lfile) {
diff --git a/src/www/diag_logs_suricata.php b/src/www/diag_logs_suricata.php
index d5b4ffb7e..38852be6d 100644
--- a/src/www/diag_logs_suricata.php
+++ b/src/www/diag_logs_suricata.php
@@ -1,7 +1,7 @@
 <?php
 
 $logfile = '/var/log/suricata.log';
-$logclog = false;
+$logclog = true;
 
 $service_hook = 'suricata';