From e5c1778e7dd32ff3ed8cf969540404c9c0e6d5a1 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
Date: Thu, 18 Feb 2021 08:32:13 -0700
Subject: [PATCH] When logging JSON to syslog, wrap the contents in a "sudo"
 object. This makes it easier for log parsers to identify what is a sudo log
 entry.

---
 lib/eventlog/eventlog.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/eventlog/eventlog.c b/lib/eventlog/eventlog.c
index 1f0183b1b..e6f744da5 100644
--- a/lib/eventlog/eventlog.c
+++ b/lib/eventlog/eventlog.c
@@ -950,10 +950,10 @@ do_syslog_json(int pri, int event_type, const char *reason,
     if (json_str == NULL)
 	debug_return_bool(false);
 
-    /* Syslog it with a @cee: prefix */
+    /* Syslog it in a sudo object with a @cee: prefix. */
     /* TODO: use evl_conf.syslog_maxlen to break up long messages. */
     evl_conf.open_log(EVLOG_SYSLOG, NULL);
-    syslog(pri, "@cee:{%s}", json_str);
+    syslog(pri, "@cee:{\"sudo\":{%s}}", json_str);
     evl_conf.close_log(EVLOG_SYSLOG, NULL);
     free(json_str);
     debug_return_bool(true);
-- 
2.43.0