<div dir="ltr">Thanks Robert. I figured as much. I am going to look at some intermediary that can transform binary to base64 and then stream to syslog.<div><br></div><div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">
On Tue, May 21, 2013 at 11:48 AM, Fekete Róbert <span dir="ltr"><<a href="mailto:frobert@balabit.hu" target="_blank">frobert@balabit.hu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im"><br>
On Saturday, May 18, 2013 02:35 CEST, Xuri Nagarin <<a href="mailto:secsubs@gmail.com">secsubs@gmail.com</a>> wrote:<br>
<br>
> Hi,<br>
><br>
> My log source sends data over syslog in CEF (Arcsight format).<br>
><br>
> I have a simple parser written in Syslog-NG that takes advantage of the CEF<br>
> format (that is all messages are in eight fields separated by a pipe char).<br>
> -----------xxxxxxxxxxxxxxxxx-------------------<br>
><br>
> parser p_cef {<br>
><br>
> csv-parser(columns("cef.ff","cef.vendor","cef.product","cef.c4","cef.c5","cef.c6","cef.c7","cef.c8")<br>
> delimiters("|")<br>
> flags(drop-invalid)<br>
> );<br>
> };<br>
><br>
> destination d_file {<br>
> file("/var/log/net/${cef.vendor}/${cef.product}/logfile"); };<br>
><br>
> log { source(s_tcp); parser(p_cef); destination(d_file); };<br>
> -----------xxxxxxxxxxxxxxxxx-------------------<br>
><br>
> Some events coming in contain binary data that get translated into control<br>
> characters and create thousands of directories with garbage in the names.<br>
><br>
> How do I handle binary data in the message? Should I use the sanitize<br>
> function in the destination/file definition or is there a better way to do<br>
> it?<br>
><br>
<br>
</div>Hi, I currently do not know about any way to handle binary data within a messages.<br>
<div class="im"><br>
> Also, how do I create a catch-all destination for all the messages that do<br>
> not match my parser?<br>
<br>
</div>Create a log statement that uses the flags(catchall) option.<br>
<br>
Regards,<br>
<br>
Robert<br>
<br>
><br>
> Thanks!<br>
<br>
<br>
<br>
<br>
<br>
<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div><br></div>