Hello Alain,

Thanks for sharing the debug output, it showed me where is the problem.
It seems that you don't have the "^M" as a special character in your message but 2 regular ascii characters '^' and 'M'.
In case of a carriage-return character syslog-ng would print this debug message (check the "\x0d" strings):
[2017-12-06T10:08:57.374088] Incoming log entry; line='Dec  4 13:35:23 conf01 2017-12-04 13:35:23,561 Level="INFO" Name="support.sip" Message="Sending SIP response" Src-address="80.12.yy.xx" Src-port="5061" Dst-address="161.105.yy.xx" Dst-port="38509" Transport="TLS" Detail="\x0dMSIP/2.0 403 Forbidden\x0dMVia: SIP/2.0/TLS 161.105.150.12:38509;alias;branch=z9hG4bK.MEgSOM8O4;rport=38509;received=161.105.150.12\x0dMFrom:  <sip:SondeSQS_001!@int.ovp.orange-business.com>;tag=5kYhVMAyi\x0dTo: sip:SondeSQS_001!@int.ovp.orange-business.com;tag=aynkBKUjt0pXHzNv\x0dCSeq: 25 REGISTER\x0dCall-ID: Vhihsb~BhQ\x0dAllow: INVITE,ACK,OPTIONS,CANCEL,BYE,REGISTER,INFO,SUBSCRIBE,NOTIFY,MESSAGE\x0dSupported: categoryList,adhoclist,sdp-anat,replaces\x0dContent-Length: 0\x0d\x0d"'

You can remove these characters with subst rewrite rule, but please note that by default syslog-ng uses PCRE regular expressions, so you either escape the ^ or use literal strings as search pattern.
Also, when escaping I would recommend of the usage of single-quote instead of double-quotes, otherwise you need to double-escape special characters.
rewrite{ subst('\^M', ' ', flags("global"));  };
rewrite{ subst("\\^M", ' ', flags("global"));  };
or use literal strings instead of regex
rewrite { subst("^M", " ", type("string"), flags("substring")); };


Some notes about regular expressions(in case I forgot something):
https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/regular-expressions.html

Best Regards,
Gabor

On Tue, Dec 5, 2017 at 2:03 PM, <alain.villefranque@orange.com> wrote:

Hi Gabor,

 

Thanks for your help.

 

I’ve tried in different way without success:

 

rewrite r_rewrite_subst_CR {

   subst('\r\n'," ",value("MESSAGE"), flags("global"));

   subst('^M'," ",value("MESSAGE"), flags("global"));

   subst("^M"," ",value("MESSAGE"), flags("global"));

   subst("\r\n"," ",value("MESSAGE"), flags("global"));

   subst('\r'," ",value("MESSAGE"), flags("global"));

   subst("\r"," ",value("MESSAGE"), flags("global"));

   subst("Detail","COUCOU",value("MESSAGE"), flags("global"));

};

 

You will see in the attached file that this rewrite rule has no effect on the received message specifically against the ^M character….

 

Do you have any other advice to provide me?

 

Thanks,

 

Regards

 

Alain

 

 

De : syslog-ng [mailto:syslog-ng-bounces@lists.balabit.hu] De la part de Nagy, Gábor
Envoyé : lundi 4 décembre 2017 16:30
À : Syslog-ng users' and developers' mailing list
Cc : RAMBERT Christophe IMT/OLS
Objet : Re: [syslog-ng] Syslog-ng relay: how to delete or modify special character ^M?

 

Hi Alain!

 

You can replace unwanted special characters by using rewrite rules is syslog-ng.

Rewrite rules accept regular expressions as search pattern.

Please check regular expression options (e.g. use global flags to replace all instances).

Example:

    rewrite{ subst("\r", " ", flags("global"));  };

 

 

Best regards,

Gabor

 

 

On Mon, Dec 4, 2017 at 3:33 PM, <alain.villefranque@orange.com> wrote:

Hi all,

 

I have an issue with the character Carriage Return (^M) inserted by the Syslog source machine.

I try to substitute or rewrite this special character with syslog-ng relay, but it is impossible to modify it, it seems this char is invisible for the program.

I’ve tried to modified it with either with ^M or 0xD char with no success.

 

Example of received message:

 

Dec  4 13:35:23 conf01 2017-12-04 13:35:23,561 Level="INFO" Name="support.sip" Message="Sending SIP response" Src-address="80.12.yy.xx" Src-port="5061" Dst-address="161.105.yy.xx" Dst-port="38509" Transport="TLS"

Detail="^MSIP/2.0 403 Forbidden^MVia: SIP/2.0/TLS 161.105.150.12:38509;alias;branch=z9hG4bK.MEgSOM8O4;rport=38509;received=161.105.150.12^MFrom:  <sip:SondeSQS_001!@int.ovp.orange-business.com>;tag=5kYhVMAyi^MTo: sip:SondeSQS_001!@int.ovp.orange-business.com;tag=aynkBKUjt0pXHzNv^MCSeq: 25 REGISTER^MCall-ID: Vhihsb~BhQ^MAllow: INVITE,ACK,OPTIONS,CANCEL,BYE,REGISTER,INFO,SUBSCRIBE,NOTIFY,MESSAGE^MSupported: categoryList,adhoclist,sdp-anat,replaces^MContent-Length: 0^M^M"

 

I’d like to suppress ^M or replace it with a “space” char.

 

Is there any specific action to do in order to modify ^M special character ?

 

Regards

 

Alain

 

 

_________________________________________________________________________________________________________________________
 
Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
 
This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.


______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

 

_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq