On 0, Balazs Scheidler <bazsi@balabit.hu> inscribed onto the electric medium...
My question is, is there somewhere in the syslog-ng code where I can easily parse the incoming syslog message and replace linefeeds with something benign, such as spaces or tabs? Or is there another solution that would be better? In the meantime we're opening a bug with the vendor since I consider this their issue, but knowing vendors I'm not confident in their addressing the problem quickly.
Vendor == cisco, perhaps?
linefeeds take an important role in syslog messages, they terminate them. So
I disagree. I just had to track this one down myself; the cisco vpn concentrator is logging stuff with embedded newlines. The RH linux box was logging the whole messages, but the Irix box wasn't. Hence clearly the linefeed doesn't have any true bearing on the length of the syslog message; it should be determined by the length of the incoming message. Any imbedded newlines should be ignored; translated to spaces (as the linux syslog does) or ^M (as the [patched] irix syslog does.) "Be gracious in what you accept, and conservative in what you send." (paraphrased sendmail quotation.) There's no RFC on syslog messages, is there? The Irix syslogd traces its route all the way back to BSD 4.2, and the check that terminated parsing when it hit a newline had been in there from the beginning. --Chan -- Information Services requires Information to Serve. // Chan Wilson cwilson@sgi.com // Enterprise Network Services +1-650-933-9515