add the support to log the fast.log alerts type to syslog

14 years ago · e5edc6e8e3
parent d424ac7c61
commit e5edc6e8e3
12 changed files with 574 additions and 34 deletions
--- a/src/Makefile.am
+++ b/src/Makefile.am
@ -188,6 +188,7 @@ util-ringbuffer.c util-ringbuffer.h \
 util-validate.h util-affinity.h util-affinity.c \
 util-memcmp.c util-memcmp.h \
 util-proto-name.c util-proto-name.h \
+util-syslog.c util-syslog.h \
 tm-modules.c tm-modules.h \
 tm-queues.c tm-queues.h \
 tm-queuehandlers.c tm-queuehandlers.h \
@ -203,6 +204,7 @@ alert-prelude.c alert-prelude.h \
 alert-unified-log.c alert-unified-log.h \
 alert-unified-alert.c alert-unified-alert.h \
 alert-unified2-alert.c alert-unified2-alert.h \
+alert-syslog.c alert-syslog.h \
 log-httplog.c log-httplog.h \
 stream.c stream.h \
 stream-tcp.c stream-tcp.h stream-tcp-private.h \
--- a/src/alert-syslog.c
+++ b/src/alert-syslog.c
@ -0,0 +1,407 @@
+/* Copyright (C) 2007-2010 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+/**
+ * \file
+ *
+ * \author Gurvinder Singh <gurvindersinghdahiya@gmail.com>
+ *
+ * Logs alerts in a line based text format in to syslog.
+ *
+ */
+
+#include "suricata-common.h"
+#include "debug.h"
+#include "flow.h"
+#include "conf.h"
+
+#include "threads.h"
+#include "tm-threads.h"
+#include "threadvars.h"
+#include "tm-modules.h"
+
+#include "detect.h"
+#include "detect-parse.h"
+#include "detect-engine.h"
+#include "detect-engine-mpm.h"
+#include "detect-reference.h"
+
+#include "output.h"
+#include "alert-syslog.h"
+
+#include "util-classification-config.h"
+#include "util-debug.h"
+#include "util-print.h"
+#include "util-proto-name.h"
+#include "util-syslog.h"
+
+#define DEFAULT_ALERT_SYSLOG_FACILITY_STR       "local0"
+#define DEFAULT_ALERT_SYSLOG_FACILITY           LOG_LOCAL0
+#define DEFAULT_ALERT_SYSLOG_LEVEL              LOG_ERR
+#define MODULE_NAME                             "AlertSyslog"
+
+typedef struct AlertSyslogThread_ {
+    /** LogFileCtx has the pointer to the file and a mutex to allow multithreading */
+    LogFileCtx* file_ctx;
+} AlertSyslogThread;
+
+TmEcode AlertSyslog (ThreadVars *, Packet *, void *, PacketQueue *, PacketQueue *);
+TmEcode AlertSyslogIPv4(ThreadVars *, Packet *, void *, PacketQueue *, PacketQueue *);
+TmEcode AlertSyslogIPv6(ThreadVars *, Packet *, void *, PacketQueue *, PacketQueue *);
+TmEcode AlertSyslogThreadInit(ThreadVars *, void *, void **);
+TmEcode AlertSyslogThreadDeinit(ThreadVars *, void *);
+void AlertSyslogExitPrintStats(ThreadVars *, void *);
+void AlertSyslogRegisterTests(void);
+OutputCtx *AlertSyslogInitCtx(ConfNode *);
+static void AlertSyslogDeInitCtx(OutputCtx *);
+
+/** \brief   Function to register the AlertSyslog module */
+void TmModuleAlertSyslogRegister (void) {
+    tmm_modules[TMM_ALERTSYSLOG].name = MODULE_NAME;
+    tmm_modules[TMM_ALERTSYSLOG].ThreadInit = AlertSyslogThreadInit;
+    tmm_modules[TMM_ALERTSYSLOG].Func = AlertSyslog;
+    tmm_modules[TMM_ALERTSYSLOG].ThreadExitPrintStats = AlertSyslogExitPrintStats;
+    tmm_modules[TMM_ALERTSYSLOG].ThreadDeinit = AlertSyslogThreadDeinit;
+    tmm_modules[TMM_ALERTSYSLOG].RegisterTests = NULL;
+    tmm_modules[TMM_ALERTSYSLOG].cap_flags = 0;
+
+    OutputRegisterModule(MODULE_NAME, "syslog", AlertSyslogInitCtx);
+}
+
+/** \brief   Function to register the AlertSyslog module for IPv4 */
+void TmModuleAlertSyslogIPv4Register (void) {
+    tmm_modules[TMM_ALERTSYSLOG4].name = "AlertSyslogIPv4";
+    tmm_modules[TMM_ALERTSYSLOG4].ThreadInit = AlertSyslogThreadInit;
+    tmm_modules[TMM_ALERTSYSLOG4].Func = AlertSyslogIPv4;
+    tmm_modules[TMM_ALERTSYSLOG4].ThreadExitPrintStats = AlertSyslogExitPrintStats;
+    tmm_modules[TMM_ALERTSYSLOG4].ThreadDeinit = AlertSyslogThreadDeinit;
+    tmm_modules[TMM_ALERTSYSLOG4].RegisterTests = NULL;
+}
+
+/** \brief   Function to register the AlertSyslog module for IPv6 */
+void TmModuleAlertSyslogIPv6Register (void) {
+    tmm_modules[TMM_ALERTSYSLOG6].name = "AlertSyslogIPv6";
+    tmm_modules[TMM_ALERTSYSLOG6].ThreadInit = AlertSyslogThreadInit;
+    tmm_modules[TMM_ALERTSYSLOG6].Func = AlertSyslogIPv6;
+    tmm_modules[TMM_ALERTSYSLOG6].ThreadExitPrintStats = AlertSyslogExitPrintStats;
+    tmm_modules[TMM_ALERTSYSLOG6].ThreadDeinit = AlertSyslogThreadDeinit;
+    tmm_modules[TMM_ALERTSYSLOG6].RegisterTests = NULL;
+}
+
+/**
+ * \brief Create a new LogFileCtx for "syslog" output style.
+ *
+ * \param conf The configuration node for this output.
+ * \return A OutputCtx pointer on success, NULL on failure.
+ */
+OutputCtx *AlertSyslogInitCtx(ConfNode *conf)
+{
+    const char *enabled = ConfNodeLookupChildValue(conf, "enabled");
+    if (enabled != NULL && strncmp(enabled, "no", 2) == 0) {
+        SCLogDebug("alert-syslog module has been disabled");
+        return NULL;
+    }
+
+    const char *facility_s = ConfNodeLookupChildValue(conf, "facility");
+    if (facility_s == NULL) {
+        facility_s = DEFAULT_ALERT_SYSLOG_FACILITY_STR;
+    }
+
+    LogFileCtx *logfile_ctx = LogFileNewCtx();
+    if (logfile_ctx == NULL) {
+        SCLogDebug("AlertSyslogInitCtx: Could not create new LogFileCtx");
+        return NULL;
+    }
+
+    int facility = SCMapEnumNameToValue(facility_s, SCGetFacilityMap());
+    if (facility == -1) {
+        SCLogWarning(SC_ERR_INVALID_ARGUMENT, "Invalid syslog facility: \"%s\","
+                " now using \"%s\" as syslog facility", facility_s,
+                DEFAULT_ALERT_SYSLOG_FACILITY_STR);
+        facility = DEFAULT_ALERT_SYSLOG_FACILITY;
+    }
+
+    openlog(NULL, LOG_NDELAY, facility);
+
+    OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
+    if (output_ctx == NULL) {
+        SCLogDebug("AlertSyslogInitCtx: Could not create new OutputCtx");
+        return NULL;
+    }
+
+    output_ctx->data = logfile_ctx;
+    output_ctx->DeInit = AlertSyslogDeInitCtx;
+
+    SCLogInfo("Syslog output initialized");
+
+    return output_ctx;
+}
+
+/**
+ * \brief Function to clear the memory of the output context and closes the
+ *        syslog interface
+ *
+ * \param output_ctx pointer to the output context to be cleared
+ */
+static void AlertSyslogDeInitCtx(OutputCtx *output_ctx)
+{
+    if (output_ctx != NULL) {
+        LogFileCtx *logfile_ctx = (LogFileCtx *)output_ctx->data;
+        LogFileFreeCtx(logfile_ctx);
+        free(output_ctx);
+    }
+    closelog();
+}
+
+/**
+ * \brief Function to initialize the AlertSystlogThread and sets the output
+ *        context pointer
+ *
+ * \param tv            Pointer to the threadvars
+ * \param initdata      Pointer to the output context
+ * \param data          pointer to pointer to point to the AlertSyslogThread
+ */
+TmEcode AlertSyslogThreadInit(ThreadVars *t, void *initdata, void **data)
+{
+    AlertSyslogThread *ast = SCMalloc(sizeof(AlertSyslogThread));
+    if (ast == NULL)
+        return TM_ECODE_FAILED;
+
+    memset(ast, 0, sizeof(AlertSyslogThread));
+    if(initdata == NULL)
+    {
+        SCLogDebug("Error getting context for AlertSyslog. \"initdata\" "
+                "argument NULL");
+        SCFree(ast);
+        return TM_ECODE_FAILED;
+    }
+    /** Use the Ouptut Context (file pointer and mutex) */
+    ast->file_ctx = ((OutputCtx *)initdata)->data;
+
+    *data = (void *)ast;
+    return TM_ECODE_OK;
+}
+
+/**
+ * \brief Function to deinitialize the AlertSystlogThread
+ *
+ * \param tv            Pointer to the threadvars
+ * \param data          pointer to the AlertSyslogThread to be cleared
+ */
+TmEcode AlertSyslogThreadDeinit(ThreadVars *t, void *data)
+{
+    AlertSyslogThread *ast = (AlertSyslogThread *)data;
+    if (ast == NULL) {
+        return TM_ECODE_OK;
+    }
+
+    /* clear memory */
+    memset(ast, 0, sizeof(AlertSyslogThread));
+
+    SCFree(ast);
+    return TM_ECODE_OK;
+}
+
+/**
+ * \brief   Function which is called to print the IPv4 alerts to the syslog
+ *
+ * \param tv    Pointer to the threadvars
+ * \param p     Pointer to the packet
+ * \param data  pointer to the AlertSyslogThread
+ * \param pq    pointer the to packet queue
+ * \param postpq pointer to the post processed packet queue
+ *
+ * \return On succes return TM_ECODE_OK
+ */
+TmEcode AlertSyslogIPv4(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq,
+                        PacketQueue *postpq)
+{
+    AlertSyslogThread *ast = (AlertSyslogThread *)data;
+    int i;
+
+    if (p->alerts.cnt == 0)
+        return TM_ECODE_OK;
+
+    SCMutexLock(&ast->file_ctx->fp_mutex);
+
+    ast->file_ctx->alerts += p->alerts.cnt;
+
+    for (i = 0; i < p->alerts.cnt; i++) {
+        PacketAlert *pa = &p->alerts.alerts[i];
+
+        char srcip[16], dstip[16];
+
+        inet_ntop(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, sizeof(srcip));
+        inet_ntop(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, sizeof(dstip));
+
+        if (SCProtoNameValid(IPV4_GET_IPPROTO(p)) == TRUE) {
+            syslog(DEFAULT_ALERT_SYSLOG_LEVEL, "[%" PRIu32 ":%" PRIu32 ":%"
+                    PRIu32 "] %s [Classification: %s] [Priority: %"PRIu32"]"
+                    " {%s} %s:%" PRIu32 " -> %s:%" PRIu32 "", pa->gid, pa->sid,
+                    pa->rev, pa->msg, pa->class_msg, pa->prio,
+                    known_proto[IPV4_GET_IPPROTO(p)], srcip, p->sp, dstip, p->dp);
+        } else {
+            syslog(DEFAULT_ALERT_SYSLOG_LEVEL, "[%" PRIu32 ":%" PRIu32 ":%"
+                    PRIu32 "] %s [Classification: %s] [Priority: %"PRIu32"]"
+                    " {PROTO:%03" PRIu32 "} %s:%" PRIu32 " -> %s:%" PRIu32 "",
+                    pa->gid, pa->sid, pa->rev, pa->msg, pa->class_msg, pa->prio,
+                    IPV4_GET_IPPROTO(p), srcip, p->sp, dstip, p->dp);
+        }
+    }
+    SCMutexUnlock(&ast->file_ctx->fp_mutex);
+
+    return TM_ECODE_OK;
+}
+
+/**
+ * \brief   Function which is called to print the IPv6 alerts to the syslog
+ *
+ * \param tv    Pointer to the threadvars
+ * \param p     Pointer to the packet
+ * \param data  pointer to the AlertSyslogThread
+ * \param pq    pointer the to packet queue
+ * \param postpq pointer to the post processed packet queue
+ *
+ * \return On succes return TM_ECODE_OK
+ */
+TmEcode AlertSyslogIPv6(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq,
+                        PacketQueue *postpq)
+{
+    AlertSyslogThread *ast = (AlertSyslogThread *)data;
+    int i;
+
+    if (p->alerts.cnt == 0)
+        return TM_ECODE_OK;
+
+    SCMutexLock(&ast->file_ctx->fp_mutex);
+
+    ast->file_ctx->alerts += p->alerts.cnt;
+
+    for (i = 0; i < p->alerts.cnt; i++) {
+        PacketAlert *pa = &p->alerts.alerts[i];
+        char srcip[46], dstip[46];
+
+        inet_ntop(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip));
+        inet_ntop(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip));
+
+        if (SCProtoNameValid(IPV6_GET_L4PROTO(p)) == TRUE) {
+            syslog(DEFAULT_ALERT_SYSLOG_LEVEL, "[%" PRIu32 ":%" PRIu32 ":%"
+                    "" PRIu32 "] %s [Classification: %s] [Priority: %"
+                    "" PRIu32 "] {%s} %s:%" PRIu32 " -> %s:%" PRIu32 "",
+                    pa->gid, pa->sid, pa->rev, pa->msg, pa->class_msg,
+                    pa->prio, known_proto[IPV6_GET_L4PROTO(p)], srcip, p->sp,
+                    dstip, p->dp);
+
+        } else {
+            syslog(DEFAULT_ALERT_SYSLOG_LEVEL, "[%" PRIu32 ":%" PRIu32 ":%"
+                    "" PRIu32 "] %s [Classification: %s] [Priority: %"
+                    "" PRIu32 "] {PROTO:%03" PRIu32 "} %s:%" PRIu32 " -> %s:%" PRIu32 "",
+                    pa->gid, pa->sid, pa->rev, pa->msg, pa->class_msg,
+                    pa->prio, IPV6_GET_L4PROTO(p), srcip, p->sp, dstip, p->dp);
+        }
+
+    }
+    SCMutexUnlock(&ast->file_ctx->fp_mutex);
+
+    return TM_ECODE_OK;
+}
+
+/**
+ * \brief   Function which is called to print the decode alerts to the syslog
+ *
+ * \param tv    Pointer to the threadvars
+ * \param p     Pointer to the packet
+ * \param data  pointer to the AlertSyslogThread
+ * \param pq    pointer the to packet queue
+ * \param postpq pointer to the post processed packet queue
+ *
+ * \return On succes return TM_ECODE_OK
+ */
+TmEcode AlertSyslogDecoderEvent(ThreadVars *tv, Packet *p, void *data,
+                                    PacketQueue *pq, PacketQueue *postpq)
+{
+    AlertSyslogThread *ast = (AlertSyslogThread *)data;
+    int i;
+
+    if (p->alerts.cnt == 0)
+        return TM_ECODE_OK;
+
+    SCMutexLock(&ast->file_ctx->fp_mutex);
+
+    ast->file_ctx->alerts += p->alerts.cnt;
+    char temp_buf[2048];
+
+    for (i = 0; i < p->alerts.cnt; i++) {
+        PacketAlert *pa = &p->alerts.alerts[i];
+
+        syslog(DEFAULT_ALERT_SYSLOG_LEVEL, "[%" PRIu32 ":%" PRIu32 ":%" PRIu32 "]"
+                " %s [Classification: %s] [Priority: %" PRIu32 "] [**] [Raw pkt: ",
+                pa->gid, pa->sid, pa->rev, pa->msg, pa->class_msg, pa->prio);
+
+        PrintRawLineHexBuf(temp_buf, p->pkt, p->pktlen < 32 ? p->pktlen : 32);
+        syslog(DEFAULT_ALERT_SYSLOG_LEVEL, "%s", temp_buf);
+
+        if (p->pcap_cnt != 0) {
+            syslog(DEFAULT_ALERT_SYSLOG_LEVEL, "] [pcap file packet: %"PRIu64"]",
+                    p->pcap_cnt);
+        }
+
+    }
+    SCMutexUnlock(&ast->file_ctx->fp_mutex);
+
+    return TM_ECODE_OK;
+}
+
+/**
+ * \brief   Function which is called to print the alerts to the syslog
+ *
+ * \param tv    Pointer to the threadvars
+ * \param p     Pointer to the packet
+ * \param data  pointer to the AlertSyslogThread
+ * \param pq    pointer the to packet queue
+ * \param postpq pointer to the post processed packet queue
+ *
+ * \return On succes return TM_ECODE_OK
+ */
+TmEcode AlertSyslog (ThreadVars *tv, Packet *p, void *data, PacketQueue *pq,
+                        PacketQueue *postpq)
+{
+    if (PKT_IS_IPV4(p)) {
+        return AlertSyslogIPv4(tv, p, data, pq, postpq);
+    } else if (PKT_IS_IPV6(p)) {
+        return AlertSyslogIPv6(tv, p, data, pq, postpq);
+    } else if (p->events.cnt > 0) {
+        return AlertSyslogDecoderEvent(tv, p, data, pq, postpq);
+    }
+
+    return TM_ECODE_OK;
+}
+
+/**
+ * \brief   Function to print the total alert while closing the engine
+ *
+ * \param tv    Pointer to the output threadvars
+ * \param data  Pointer to the AlertSyslogThread data
+ */
+void AlertSyslogExitPrintStats(ThreadVars *tv, void *data) {
+    AlertSyslogThread *ast = (AlertSyslogThread *)data;
+    if (ast == NULL) {
+        return;
+    }
+
+    SCLogInfo("(%s) Alerts %" PRIu64 "", tv->name, ast->file_ctx->alerts);
+}
--- a/src/alert-syslog.h
+++ b/src/alert-syslog.h
@ -0,0 +1,34 @@
+/* Copyright (C) 2007-2010 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+/**
+ * \file
+ *
+ * \author Gurvinder Singh <gurvindersinghdahiya@gmail.com>
+ *
+ * alert syslog modeule header file
+ *
+ */
+
+#ifndef ALERT_SYSLOG_H
+#define	ALERT_SYSLOG_H
+
+void TmModuleAlertSyslogRegister (void);
+void TmModuleAlertSyslogIPv4Register (void);
+void TmModuleAlertSyslogIPv6Register (void);
+
+#endif	/* ALERT_SYSLOG_H */
--- a/src/suricata.c
+++ b/src/suricata.c
@ -79,6 +79,7 @@
 #include "alert-unified2-alert.h"
 #include "alert-debuglog.h"
 #include "alert-prelude.h"
+#include "alert-syslog.h"

 #include "log-httplog.h"

@ -918,9 +919,12 @@ int main(int argc, char **argv)
    TmModuleRespondRejectRegister();
    TmModuleAlertFastLogIPv4Register();
    TmModuleAlertFastLogIPv6Register();
+    TmModuleAlertSyslogIPv4Register();
+    TmModuleAlertSyslogIPv6Register();
    TmModuleAlertUnifiedLogRegister();
    TmModuleAlertUnifiedAlertRegister();
    TmModuleUnified2AlertRegister();
+    TmModuleAlertSyslogRegister();
    TmModuleStreamTcpRegister();
    TmModuleLogHttpLogRegister();
    TmModuleLogHttpLogIPv4Register();
--- a/src/tm-modules.h
+++ b/src/tm-modules.h
@ -68,6 +68,9 @@ enum {
    TMM_ALERTUNIFIED2ALERT,
    TMM_ALERTPRELUDE,
    TMM_ALERTDEBUGLOG,
+    TMM_ALERTSYSLOG,
+    TMM_ALERTSYSLOG4,
+    TMM_ALERTSYSLOG6,
    TMM_RESPONDREJECT,
    TMM_LOGHTTPLOG,
    TMM_LOGHTTPLOG4,
--- a/src/util-debug.c
+++ b/src/util-debug.c
@ -41,6 +41,7 @@
 #include "tm-threads.h"

 #include "util-unittest.h"
+#include "util-syslog.h"

 #include "conf.h"

@ -67,32 +68,6 @@ SCEnumCharMap sc_log_op_iface_map[ ] = {
    { NULL,             -1 }
 };

-/* holds the string-enum mapping for the syslog facility in SCLogOPIfaceCtx */
-SCEnumCharMap sc_syslog_facility_map[] = {
-    { "auth",           LOG_AUTH },
-    { "authpriv",       LOG_AUTHPRIV },
-    { "cron",           LOG_CRON },
-    { "daemon",         LOG_DAEMON },
-    { "ftp",            LOG_FTP },
-    { "kern",           LOG_KERN },
-    { "lpr",            LOG_LPR },
-    { "mail",           LOG_MAIL },
-    { "news",           LOG_NEWS },
-    { "security",       LOG_AUTH },
-    { "syslog",         LOG_SYSLOG },
-    { "user",           LOG_USER },
-    { "uucp",           LOG_UUCP },
-    { "local0",         LOG_LOCAL0 },
-    { "local1",         LOG_LOCAL1 },
-    { "local2",         LOG_LOCAL2 },
-    { "local3",         LOG_LOCAL3 },
-    { "local4",         LOG_LOCAL4 },
-    { "local5",         LOG_LOCAL5 },
-    { "local6",         LOG_LOCAL6 },
-    { "local7",         LOG_LOCAL7 },
-    { NULL,             -1         }
-};
-
 #if defined (OS_WIN32)
 /**
 * \brief Used for synchronous output on WIN32
@ -882,7 +857,7 @@ static inline void SCLogSetOPIface(SCLogInitData *sc_lid, SCLogConfig *sc_lc)
                if (s == NULL)
                    s = SC_LOG_DEF_SYSLOG_FACILITY_STR;

-                op_ifaces_ctx = SCLogInitSyslogOPIface(SCMapEnumNameToValue(s, sc_syslog_facility_map), NULL, -1);
+                op_ifaces_ctx = SCLogInitSyslogOPIface(SCMapEnumNameToValue(s, SCGetFacilityMap()), NULL, -1);
                break;
            default:
                break;
@ -1072,7 +1047,7 @@ SCLogOPIfaceCtx *SCLogInitOPIfaceCtx(const char *iface_name,
        case SC_LOG_OP_IFACE_FILE:
            return SCLogInitFileOPIface(arg, log_format, log_level);
        case SC_LOG_OP_IFACE_SYSLOG:
-            return SCLogInitSyslogOPIface(SCMapEnumNameToValue(arg, sc_syslog_facility_map), log_format, log_level);
+            return SCLogInitSyslogOPIface(SCMapEnumNameToValue(arg, SCGetFacilityMap()), log_format, log_level);
        default:
 #ifdef DEBUG
            printf("Output Interface \"%s\" not supported by the logging module",
@ -1208,12 +1183,12 @@ void SCLogLoadConfig(void)
            const char *facility_s = ConfNodeLookupChildValue(output,
                "facility");
            if (facility_s != NULL) {
-                facility = SCMapEnumNameToValue(facility_s,
-                    sc_syslog_facility_map);
+                facility = SCMapEnumNameToValue(facility_s, SCGetFacilityMap());
                if (facility == -1) {
-                    SCLogError(SC_ERR_INVALID_ARGUMENT,
-                        "Invalid syslog facility: %s", facility_s);
-                    exit(EXIT_FAILURE);
+                    SCLogWarning(SC_ERR_INVALID_ARGUMENT, "Invalid syslog "
+                            "facility: \"%s\", now using \"%s\" as syslog "
+                            "facility", facility_s, SC_LOG_DEF_SYSLOG_FACILITY_STR);
+                    facility = SC_LOG_DEF_SYSLOG_FACILITY;
                }
            }
            printf("Initialization syslog logging with format \"%s\".\n",
@ -1295,7 +1270,7 @@ void SCLogInitLogModuleIfEnvSet(void)
            if (s == NULL)
                s = SC_LOG_DEF_SYSLOG_FACILITY_STR;

-            op_ifaces_ctx = SCLogInitSyslogOPIface(SCMapEnumNameToValue(s, sc_syslog_facility_map), NULL, -1);
+            op_ifaces_ctx = SCLogInitSyslogOPIface(SCMapEnumNameToValue(s, SCGetFacilityMap()), NULL, -1);
            break;
        default:
            break;
--- a/src/util-debug.h
+++ b/src/util-debug.h
@ -29,6 +29,7 @@
 #include "util-error.h"
 #include "pcre.h"
 #include "util-debug-filters.h"
+#include "syslog.h"

 #ifndef __UTIL_DEBUG_H__
 #define __UTIL_DEBUG_H__
--- a/src/util-print.c
+++ b/src/util-print.c
@ -49,6 +49,26 @@ void PrintRawLineHexFp(FILE *fp, uint8_t *buf, uint32_t buflen)
    fprintf(fp, "%s", nbuf);
 }

+/**
+ *  \brief print a buffer as hex on a single line in to retbuf buffer
+ *
+ *  Prints in the format "00 AA BB"
+ *
+ *  \param retbuf pointer to the buffer which will have the result
+ *  \param buf buffer to print from
+ *  \param buflen length of the input buffer
+ */
+void PrintRawLineHexBuf(char *retbuf, uint8_t *buf, uint32_t buflen)
+{
+    char temp[5] = "";
+    uint32_t u = 0;
+
+    for (u = 0; u < buflen; u++) {
+        snprintf(temp, sizeof(temp), "%02X ", buf[u]);
+        strlcat(retbuf, temp, sizeof(retbuf));
+    }
+}
+
 void PrintRawUriFp(FILE *fp, uint8_t *buf, uint32_t buflen)
 {
    char nbuf[2048] = "";
--- a/src/util-print.h
+++ b/src/util-print.h
@ -27,6 +27,7 @@
 void PrintRawLineHexFp(FILE *, uint8_t *, uint32_t);
 void PrintRawUriFp(FILE *, uint8_t *, uint32_t);
 void PrintRawDataFp(FILE *, uint8_t *, uint32_t);
+void PrintRawLineHexBuf(char *, uint8_t *, uint32_t );

 #endif /* __UTIL_PRINT_H__ */

--- a/src/util-syslog.c
+++ b/src/util-syslog.c
@ -0,0 +1,58 @@
+/* Copyright (C) 2007-2010 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+/**
+ * \file
+ *
+ * \author Gurvinder Singh <gurvindersinghdahiya@gmail.com>
+ *
+ * Syslog utility file
+ *
+ */
+
+#include "suricata-common.h"
+
+/* holds the string-enum mapping for the syslog facility in SCLogOPIfaceCtx */
+SCEnumCharMap sc_syslog_facility_map[] = {
+    { "auth",           LOG_AUTH },
+    { "authpriv",       LOG_AUTHPRIV },
+    { "cron",           LOG_CRON },
+    { "daemon",         LOG_DAEMON },
+    { "ftp",            LOG_FTP },
+    { "kern",           LOG_KERN },
+    { "lpr",            LOG_LPR },
+    { "mail",           LOG_MAIL },
+    { "news",           LOG_NEWS },
+    { "security",       LOG_AUTH },
+    { "syslog",         LOG_SYSLOG },
+    { "user",           LOG_USER },
+    { "uucp",           LOG_UUCP },
+    { "local0",         LOG_LOCAL0 },
+    { "local1",         LOG_LOCAL1 },
+    { "local2",         LOG_LOCAL2 },
+    { "local3",         LOG_LOCAL3 },
+    { "local4",         LOG_LOCAL4 },
+    { "local5",         LOG_LOCAL5 },
+    { "local6",         LOG_LOCAL6 },
+    { "local7",         LOG_LOCAL7 },
+    { NULL,             -1         }
+};
+
+/** \brief returns the syslog facility enum map */
+SCEnumCharMap *SCGetFacilityMap() {
+    return sc_syslog_facility_map;
+}
--- a/src/util-syslog.h
+++ b/src/util-syslog.h
@ -0,0 +1,30 @@
+/* Copyright (C) 2007-2010 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+/**
+ * \file
+ *
+ * \author Gurvinder Singh <gurvindersinghdahiya@gmail.com>
+ *
+ */
+
+#ifndef UTIL_SYSLOG_H
+#define	UTIL_SYSLOG_H
+
+SCEnumCharMap *SCGetFacilityMap(void);
+
+#endif	/* UTIL_SYSLOG_H */
--- a/suricata.yaml
+++ b/suricata.yaml
@ -96,6 +96,11 @@ outputs:
      filename: stats.log
      interval: 8

+  # a line based alerts log similar to fast.log into syslog
+  - syslog:
+      enabled: no
+      facility: local5
+
 # When running in NFQ inline mode, it is possible to use a simulated
 # non-terminal NFQUEUE verdict.
 # This permit to do send all needed packet to suricata via this a rule: