From b62de24aea3d23cd5773929d13eb583fba4ae503 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Mon, 17 Jun 2019 20:09:06 +0200
Subject: [PATCH] IDPS, duplicate eve logging section when syslog_eve is
 checked to support eve logging over syslog. Requires current syslog-ng work
 in master to be functional. closes
 https://github.com/opnsense/core/issues/3401

---
 .../OPNsense/IDS/forms/generalSettings.xml    | 10 ++++++++++
 .../mvc/app/models/OPNsense/IDS/IDS.xml       |  6 +++++-
 .../templates/OPNsense/IDS/suricata.yaml      | 19 +++++++++++++++++++
 3 files changed, 34 insertions(+), 1 deletion(-)

diff --git a/src/opnsense/mvc/app/controllers/OPNsense/IDS/forms/generalSettings.xml b/src/opnsense/mvc/app/controllers/OPNsense/IDS/forms/generalSettings.xml
index a8945463e..93a12760f 100644
--- a/src/opnsense/mvc/app/controllers/OPNsense/IDS/forms/generalSettings.xml
+++ b/src/opnsense/mvc/app/controllers/OPNsense/IDS/forms/generalSettings.xml
@@ -23,6 +23,16 @@
         <type>checkbox</type>
         <help><![CDATA[Send alerts to system log in fast log format. This will not change the alert logging used by the product itself.]]></help>
     </field>
+    <field>
+        <id>ids.general.syslog_eve</id>
+        <label>Enable eve syslog output</label>
+        <type>checkbox</type>
+        <help><![CDATA[
+          Send alerts in eve format to syslog, using log level info.
+          This will not change the alert logging used by the product itself.
+          Drop logs will only be send to the internal logger, due to restrictions in suricata.
+          ]]></help>
+    </field>
     <field>
         <id>ids.general.MPMAlgo</id>
         <label>Pattern matcher</label>
diff --git a/src/opnsense/mvc/app/models/OPNsense/IDS/IDS.xml b/src/opnsense/mvc/app/models/OPNsense/IDS/IDS.xml
index ff2c5dfd4..24a64788c 100644
--- a/src/opnsense/mvc/app/models/OPNsense/IDS/IDS.xml
+++ b/src/opnsense/mvc/app/models/OPNsense/IDS/IDS.xml
@@ -1,6 +1,6 @@
 <model>
     <mount>//OPNsense/IDS</mount>
-    <version>1.0.2</version>
+    <version>1.0.3</version>
     <description>
         OPNsense IDS
     </description>
@@ -169,6 +169,10 @@
                 <default>0</default>
                 <Required>Y</Required>
             </syslog>
+            <syslog_eve type="BooleanField">
+                <default>0</default>
+                <Required>Y</Required>
+            </syslog_eve>
             <LogPayload type="BooleanField">
                 <default>0</default>
                 <Required>Y</Required>
diff --git a/src/opnsense/service/templates/OPNsense/IDS/suricata.yaml b/src/opnsense/service/templates/OPNsense/IDS/suricata.yaml
index d90892409..a9227721b 100644
--- a/src/opnsense/service/templates/OPNsense/IDS/suricata.yaml
+++ b/src/opnsense/service/templates/OPNsense/IDS/suricata.yaml
@@ -123,6 +123,25 @@ outputs:
                              # per flow direction. All logs each dropped pkt.
 #        - ssh
 
+{% if not helpers.empty('OPNsense.IDS.general.syslog_eve') %}
+  # Extensible Event Format (nicknamed EVE) to syslog
+  - eve-log:
+      enabled: yes
+      type: syslog
+      identity: "suricata"
+      facility: local5
+      level: Info
+      types:
+        - alert:
+{%     if not helpers.empty('OPNsense.IDS.general.LogPayload') %}
+             payload: yes
+             payload-buffer-size: 100kb
+             payload-printable: yes
+{%     endif %}
+             http: yes
+             tls: yes
+{% endif %}
+
   # alert output for use with Barnyard2
   - unified2-alert:
       enabled: no