Hi All, I have a user receiving messages from Snare but, for some reason, syslog-ng doesn't appear to be converting the TAB characters properly. Snare sends messages as: HostName<TAB>MSWinEventLog<TAB>Criticality<TAB>EventLogSource<TAB>SnareCounter<TAB>SubmitTime<TAB>EventID<TAB>SourceName<TAB>UserName<TAB>SIDType<TAB>EventLogType<TAB>ComputerName<TAB>CategoryString<TAB>DataString<TAB>ExpandedString<TAB>MD5 checksum (optional) I have verified using a sniffer on the syslog-ng server that the message format is coming in correctly with the TABs, but somehow the messages are leaving syslog-ng as: ...snip (full message clipped for brevity) Tue Jun 05 11:09:27 2012592SecuritySYSTEMUserSuccess Audit ...snip In the example above, it should be: Tue Jun 05 11:09:27 2012\011592\011Security\011SYSTEM\011User\011Success Audit I've checked his syslog-ng.conf file and it is the normal one that comes with Ubuntu 12.4 LTS. Any idea what might be causing this? ______________________________________________________________ Clayton Dukes ______________________________________________________________