syslog: deprecate

The standalone syslog output is now deprecated for Suricata 8. Display a warning on use and add notes to the userguide. Ticket: OISF#6544
ilya-bakhtin · Aug 30, 2024 · 15fe844 · 15fe844
1 parent 5853fb9
commit 15fe844
Show file tree

Hide file tree

Showing 4 changed files with 9 additions and 10 deletions.
diff --git a/doc/userguide/configuration/suricata-yaml.rst b/doc/userguide/configuration/suricata-yaml.rst
@@ -581,6 +581,10 @@ section as described above.
 Syslog
 ~~~~~~
 
+.. attention:: The syslog output is deprecated in Suricata 8.0 and
+               will be removed in Suricata 9.0. Please migrate to the
+               ``eve`` output which has the ability to send to syslog.
+
 With this option it is possible to send all alert and event output to syslog.
 
 ::

diff --git a/doc/userguide/upgrade.rst b/doc/userguide/upgrade.rst
@@ -80,6 +80,9 @@ Deprecations
 ~~~~~~~~~~~~
 - The ``http-log`` output is now deprecated and will be removed in Suricata 9.0.
 - The ``tls-log`` output is now deprecated and will be removed in Suricata 9.0.
+- The ``syslog`` output is now deprecated and will be removed in
+  Suricata 9.0. Note that this is the standalone ``syslog`` output and
+  does affect the ``eve`` outputs ability to send to syslog.
 
 Upgrading 6.0 to 7.0
 --------------------

diff --git a/src/alert-syslog.c b/src/alert-syslog.c
@@ -87,6 +87,8 @@ static void AlertSyslogDeInitCtx(OutputCtx *output_ctx)
  */
 static OutputInitResult AlertSyslogInitCtx(ConfNode *conf)
 {
+    SCLogWarning("The syslog output has been deprecated and will be removed in Suricata 9.0.");
+
     OutputInitResult result = { NULL, false };
     const char *facility_s = ConfNodeLookupChildValue(conf, "facility");
     if (facility_s == NULL) {

diff --git a/suricata.yaml.in b/suricata.yaml.in
@@ -434,16 +434,6 @@ outputs:
       threads: no       # per thread stats
       #null-values: yes  # print counters that have value 0. Default: no
 
-  # a line based alerts log similar to fast.log into syslog
-  - syslog:
-      enabled: no
-      # reported identity to syslog. If omitted the program name (usually
-      # suricata) will be used.
-      #identity: "suricata"
-      facility: local5
-      #level: Info ## possible levels: Emergency, Alert, Critical,
-                   ## Error, Warning, Notice, Info, Debug
-
   # Output module for storing files on disk. Files are stored in
   # directory names consisting of the first 2 characters of the
   # SHA256 of the file. Each file is given its SHA256 as a filename.