Format of syslog is not RFC Compliant

[jjfallete]

Is your feature request related to a problem? Please describe.

Currently, the cb-event-forwarder does not use RFC compliant syslog format (RFC 3164 or RFC 5424). As a result, syslog servers do not properly parse the hostname identifier without manual intervention, some fall back to using the sending IP address to identify the source.



Here is an example of an event sent from the cb-event-forwarder:

<6> 2024-01-25T12:00:00-04:00 CBSERVER /usr/share/cb/integrations/event-forwarder/cb-event-forwarder[10000]: LEEF:1.0|CB|CB|5.1|ingress.event.process|cb_server=CBSERVER    command_line=...

If this was RFC format compliant, we'd see either:

//RFC 3164 
<6>1 2024-01-25T12:00:00-04:00 CBSERVER /usr/share/cb/integrations/event-forwarder/cb-event-forwarder 10000 LEEF:1.0|CB|CB|5.1|ingress.event.process|cb_server=CBSERVER    command_line=...

//RFC 5424
<6>Jan 25 12:00:00 CBSERVER LEEF:1.0|CB|CB|5.1|ingress.event.process|cb_server=CBSERVER    command_line=...

Describe the solution you'd like

Update the cb-event-forwarder to be RFC compliant. RFC 3164 may be more desirable as it is most similar to the existing format and is more detailed.

After reviewing the codebase, I believe only a small change is needed to do this...

After this line:

cb-event-forwarder/pkg/outputs/syslog_output.go

Line 73 in 16240a8

o.outputSocket, err = syslog.DialWithTLSConfig(o.protocol, o.hostnamePort, syslog.LOG_INFO, o.tag, o.Config.TLSConfig)

Add:

// Reference from the syslog import source: github.com/RackSec/srslog/blob/master/formatter.go#L35
o.outputSocket.SetFormatter(syslog.RFC3164Formatter)  // Alternatively: RFC5424Formatter

Describe alternatives you've considered

N/A

Additional context

N/A