Suricata

The following patch adds support for custom http logging using a format syntax inspired by Apache mod_log_config.

In order to activate the custom logging feature, the parameters custom and customformat shall be specified in the suricata.yaml configuration file.

Example (next to "extended" under http-log:

custom: yes # enable the custom logging format (defined by customformat)
customformat: "%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -> %A:%P"

In addition to %h, %H, %m, %u, %i, %C, %s, %o and %B - almost - as described by mod_log_config (http://httpd.apache.org/docs/2.0/mod/mod_log_config.html), I have added %z, %a, %p, %A and %P for the precision time, IPs and ports.

I have tested it in suricata 1.3.1b2 and in the latest suricata git version at the time of writing and it seems to be working fine.

As illustrated by the example, the XFF client IP can be logged with "%{X-Forwarded-For}i" and using the right customformat string the HTTP transaction log files would be directly readable by awstats or piwik so now we can have real time statistics of the monitored web applications.