Hello,

While trying to forward XML Prelude alerts (using the xmlmod plugin output) to a centralized machine through syslog or filebeat I realized that If you haven't enabled the format option, each new alert is written at the same line, so, for example, filebeat doesn't detect that a new alert has been written and consecuently is not sent. The format option I'm referring to is:

# Tells Xmlmod to produce a pretty, human-readable xml output:
# format

As I'm not interested in having a human-redeable xml output I disabled it.

A quick workaround to solve this:

static int file_write(void *context, const char *buf, int len)
{
        size_t ret;

        ret = fwrite(buf, 1, (size_t) len, context);
        if ( ret != (size_t ) len && ferror((FILE *) context) ) {
                prelude_log(PRELUDE_LOG_ERR, "could not write IDMEF-XML data: '%s'.\n", strerror(errno));
                return -1;
        }
        fwrite("\n", sizeof(char), 1, context);

        return (int) ret;
}

The addition is

fwrite("\n", sizeof(char), 1, context);

This is not the perfect solution, so I recommend to analyze the distinct options. The best one, in my opinion, is to append "/n" at the end of buf.

Thank you

Steven