Add timestamp in function outputs

rules/base.txt

@@ -77,7 +77,7 @@ read and not proc.name in (sshd, sudo, su) and not_cron and sensitive_files | Re
 modify and (bin_dir_rename or bin_dir_mkdir) | Modify bin dir (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)
 
 # Don't load shared objects coming from unexpected places
-read and fd.name contains .so and not (ubuntu_so_dirs or centos_so_dirs) | output.first_sequence(evt, "fd.filename", "shared_obj", "%evt.time: .so from unexpected dir (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)")
+read and fd.name contains .so and not (ubuntu_so_dirs or centos_so_dirs) | output.first_sequence(evt, "fd.filename", "shared_obj", "Loaded .so from unexpected dir (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)")
 
 # Attempts to access things that shouldn't be
 evt.res = EACCES | EACCESS (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)

userspace/digwatch/lua/output.lua

@@ -2,6 +2,7 @@ local mod = {}
 
 function mod.syslog(evt, level, format)
    nixio = require("nixio")
+   format = "%evt.time: "..format
    formatter = digwatch.formatter(format)
    msg = digwatch.format_event(evt, formatter)
    nixio.syslog(level, msg)
@@ -14,6 +15,8 @@ function mod.first_sequence(evt, fieldname, key, format)
    local field_value = digwatch.field(evt, fieldname)
    local now = os.time()
 
+   format = "%evt.time: "..format
+
    if first_sequence_state[key] == nil then
       first_sequence_state[key] = {}
    end