[suggestion] Include syslog-ng in the container

[bolemo]

First, thank you for this great docker image that I have been using for years now.

It would be a nice and very simple addition to add syslog-ng in your docker build process (dnf -y install syslog-ng). This would give the ability to easily export suricata logs to wherever.

I tweaked my docker-compose a bit this way to include syslog-ng in the container, because it makes it so easy and simple to export the eve.json log, in my case to ntopng:

services:
    suricata:
        container_name: suricata
        image: 'jasonish/suricata:latest'
        entrypoint: ["/custom-entrypoint.sh"]
        command: --af-packet -k none
        restart: 'unless-stopped'
        network_mode: host
        cap_add:
            - NET_ADMIN
            - NET_RAW
            - SYS_NICE
        environment:
            - PUID=1000
            - PGID=1000
        volumes:
            - '/etc/localtime:/etc/localtime:ro'
            - '/docker/suricata/logs:/var/log/suricata'
            - '/docker/suricata/etc:/etc/suricata'
            - '/docker/suricata/custom-entrypoint.sh:/custom-entrypoint.sh:ro'
            - '/docker/suricata/syslog-ng.conf:/etc/syslog-ng/syslog-ng.conf:ro'

With custom-entrypoint.sh being:

#!/bin/sh

[ -x /usr/sbin/syslog-ng ] || dnf -y install syslog-ng
/usr/sbin/syslog-ng --no-caps

exec /docker-entrypoint.sh $@

And syslog-ng.conf:

@version: 3.35
source s_suricata {
  file("/var/log/suricata/eve.json"
  program-override("suricata")
  flags(no-parse));
};
destination d_ntopng {
  tcp("10.10.10.10" port(5140));
};
log {
  source(s_suricata);
  destination(d_ntopng);
};

[jasonish]

I'll have to think on it, but some effort is made to keep the container minimal. I already know of uses where rsyslog is layered in and don't want to end up with rsyslog and syslog-ng in the default