+ /* Insert data */
+ if (syslog_config->format == DEFAULT_CSYSLOG) {
+ /* Build syslog message */
+ snprintf(syslog_msg, OS_SIZE_2048,
+ "<%u>%s %s ossec: Alert Level: %u; Rule: %u - %s; Location: %s;",
+ syslog_config->priority, tstamp, hostname,
+ al_data->level,
+ al_data->rule, al_data->comment,
+ al_data->location
+ );
+ field_add_string(syslog_msg, OS_SIZE_2048, " classification: %s;", al_data->group );
+ field_add_string(syslog_msg, OS_SIZE_2048, " srcip: %s;", al_data->srcip );
+#ifdef LIBGEOIP_ENABLED
+ field_add_string(syslog_msg, OS_SIZE_2048, " srccity: %s;", al_data->srcgeoip );
+ field_add_string(syslog_msg, OS_SIZE_2048, " dstcity: %s;", al_data->dstgeoip );
+#endif
+ field_add_string(syslog_msg, OS_SIZE_2048, " dstip: %s;", al_data->dstip );
+ field_add_string(syslog_msg, OS_SIZE_2048, " user: %s;", al_data->user );
+ field_add_string(syslog_msg, OS_SIZE_2048, " Previous MD5: %s;", al_data->old_md5 );
+ field_add_string(syslog_msg, OS_SIZE_2048, " Current MD5: %s;", al_data->new_md5 );
+ field_add_string(syslog_msg, OS_SIZE_2048, " Previous SHA1: %s;", al_data->old_sha1 );
+ field_add_string(syslog_msg, OS_SIZE_2048, " Current SHA1: %s;", al_data->new_sha1 );
+ /* "9/19/2016 - Sivakumar Nellurandi - parsing additions" */
+ field_add_string(syslog_msg, OS_SIZE_2048, " Size changed: from %s;", al_data->file_size );
+ field_add_string(syslog_msg, OS_SIZE_2048, " User ownership: was %s;", al_data->owner_chg );
+ field_add_string(syslog_msg, OS_SIZE_2048, " Group ownership: was %s;", al_data->group_chg );
+ field_add_string(syslog_msg, OS_SIZE_2048, " Permissions changed: from %s;", al_data->perm_chg );
+ /* "9/19/2016 - Sivakumar Nellurandi - parsing additions" */
+ field_add_truncated(syslog_msg, OS_SIZE_2048, " %s", al_data->log[0], 2 );
+ } else if (syslog_config->format == CEF_CSYSLOG) {
+ snprintf(syslog_msg, OS_SIZE_2048,
+ "<%u>%s CEF:0|%s|%s|%s|%u|%s|%u|dvc=%s cs1=%s cs1Label=Location",
+ syslog_config->priority,
+ tstamp,
+ __author,
+ __ossec_name,
+ __version,
+ al_data->rule,
+ al_data->comment,
+ (al_data->level > 10) ? 10 : al_data->level,
+ hostname, al_data->location);
+ field_add_string(syslog_msg, OS_SIZE_2048, " classification=%s", al_data->group );
+ field_add_string(syslog_msg, OS_SIZE_2048, " src=%s", al_data->srcip );
+ field_add_int(syslog_msg, OS_SIZE_2048, " dpt=%d", al_data->dstport );
+ field_add_int(syslog_msg, OS_SIZE_2048, " spt=%d", al_data->srcport );
+ field_add_string(syslog_msg, OS_SIZE_2048, " fname=%s", al_data->filename );
+ field_add_string(syslog_msg, OS_SIZE_2048, " dhost=%s", al_data->dstip );
+ field_add_string(syslog_msg, OS_SIZE_2048, " shost=%s", al_data->srcip );
+ field_add_string(syslog_msg, OS_SIZE_2048, " suser=%s", al_data->user );
+ field_add_string(syslog_msg, OS_SIZE_2048, " dst=%s", al_data->dstip );
+#ifdef LIBGEOIP_ENABLED
+ field_add_string(syslog_msg, OS_SIZE_2048, " cs4Label=SrcCity cs4=%s", al_data->srcgeoip );
+ field_add_string(syslog_msg, OS_SIZE_2048, " cs5Label=DstCity cs5=%s", al_data->dstgeoip );
+#endif
+ field_add_string(syslog_msg, OS_SIZE_2048, " suser=%s", al_data->user );
+ field_add_string(syslog_msg, OS_SIZE_2048, " dst=%s", al_data->dstip );
+ field_add_truncated(syslog_msg, OS_SIZE_2048, " msg=%s", al_data->log[0], 2 );
+ if (al_data->new_md5 && al_data->new_sha1) {
+ field_add_string(syslog_msg, OS_SIZE_2048, " cs2Label=OldMD5 cs2=%s", al_data->old_md5);
+ field_add_string(syslog_msg, OS_SIZE_2048, " cs3Label=NewMD5 cs3=%s", al_data->new_md5);
+ field_add_string(syslog_msg, OS_SIZE_2048, " oldFileHash=%s", al_data->old_sha1 );
+ field_add_string(syslog_msg, OS_SIZE_2048, " fhash=%s", al_data->new_sha1 );
+ field_add_string(syslog_msg, OS_SIZE_2048, " fileHash=%s", al_data->new_sha1 );
+ }
+ } else if (syslog_config->format == JSON_CSYSLOG) {
+ /* Build a JSON Object for logging */
+ cJSON *root;
+ char *json_string;
+ root = cJSON_CreateObject();
+
+ /* Data guaranteed to be there */
+ cJSON_AddNumberToObject(root, "crit", al_data->level);
+ cJSON_AddNumberToObject(root, "id", al_data->rule);
+ cJSON_AddStringToObject(root, "component", al_data->location);
+
+ /* Rule Meta Data */
+ if (al_data->group) {
+ cJSON_AddStringToObject(root, "classification", al_data->group);
+ }
+ if (al_data->comment) {
+ cJSON_AddStringToObject(root, "description", al_data->comment);
+ }