<div dir="auto">Hi,<div dir="auto"><br></div><div dir="auto">You could add flags(syslog-protocol) to your network() source driver, so it recognizes the new 5424 style input.</div><div dir="auto"><br></div><div dir="auto">With that the BOM will be removed from MSG and you won't need the rewrite either.</div><div dir="auto"><br></div><div dir="auto">Balazs</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Sep 23, 2024, 21:17 Jeremy Utley <<a href="mailto:jutley@seedbox.com">jutley@seedbox.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I'm trying to use Syslog-NG to receive logs from our anti-virus web console (ESET Protect).  I've got the logs coming in successfully, but they seem to be adding a UTF-8 BOM as part of the message:<div><br></div><div>[2024-09-23T19:03:36.709950] Incoming log entry; input='<15>1 2024-09-23T19:03:36.455Z b35f2351-8f78-4414-b964-415939a7b0fb ERAServer 43 - - <feff>{"event_type" : "Audit_Event","ipv4" : "172.17.0.11","ipv6" : "","hostname" : "b35f2351-8f78-4414-b964-415939a7b0fb","source_uuid" : "b35f2351-8f78-4414-b964-415939a7b0fb","os_name" : "","occured" : "23-Sep-2024 19:03:36","group_name" : "","group_description" : "","severity" : "Information","domain" : "Mapped account","action" : "Logout","target" : "35396c68-5017-4ea9-b268-d209f8040de9","detail" : "Logging out mapped account \'Jeremy Utley\'.","user" : "Jeremy Utley","result" : "Success"}', msg='0x7f6020022150', rcptid='0'<br></div><div><br></div><div>Because I only care about the JSON data being provided, I'm setting the "flags(no-parse)" option in my network source, and a rewrite filter to remove the initial data as follows:</div><div><br></div><div>source s_network {<br>        network(<br>                port(6514)<br>                transport("tls")<br>                flags(no-parse)<br>                tls(<br>                        key-file("/etc/syslog-ng/certs/syslog.key")<br>                        cert-file("/etc/syslog-ng/certs/syslog.crt")<br>                        peer-verify(optional-untrusted)<br>                )<br>        );<br>};<br><br>rewrite r_trimjson {<br>  subst("^(.*)- - ", "", value("MESSAGE"));<br>};<br><br>destination d_json {<br>    file("/var/log/json_data.log" template("${MESSAGE}\n"));<br>};<br></div><div><br></div><div>But I can't seem to eliminate the BOM from the output, and that is messing with JSON parsing, since that is added to the beginning of every line (but the first) in my json_data.log file.  I tried adding "\xfe\xff" to the rewrite in an attempt to eliminate it, but that didn't work - the rewrite does not even match at that point.</div><div><br></div><div>Anyone have any suggestions on how I can deal with this?</div><div><br></div><div>Thanks!</div><div><br></div><div>Jeremy Utley</div></div>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div>