[syslog-ng]Linefeed in incoming messages

[Chan Wilson]

On  0, Balazs Scheidler <bazsi@balabit.hu> inscribed onto the electric medium...
> > My question is, is there somewhere in the syslog-ng code where I can
> > easily parse the incoming syslog message and replace linefeeds with
> > something benign, such as spaces or tabs?  Or is there another solution
> > that would be better?  In the meantime we're opening a bug with the
> > vendor since I consider this their issue, but knowing vendors I'm not
> > confident in their addressing the problem quickly.

Vendor == cisco, perhaps?  

> linefeeds take an important role in syslog messages, they terminate them. So

I disagree.  

I just had to track this one down myself; the cisco vpn concentrator
is logging stuff with embedded newlines.  The RH linux box was logging
the whole messages, but the Irix box wasn't.  Hence clearly the
linefeed doesn't have any true bearing on the length of the syslog
message; it should be determined by the length of the incoming
message.  Any imbedded newlines should be ignored; translated to
spaces (as the linux syslog does) or ^M (as the [patched] irix syslog
does.)  

"Be gracious in what you accept, and conservative in what you send."
	(paraphrased sendmail quotation.)

There's no RFC on syslog messages, is there?  The Irix syslogd traces
its route all the way back to BSD 4.2, and the check that terminated
parsing when it hit a newline had been in there from the beginning.

--Chan

-- 
	Information Services requires Information to Serve.

  // Chan Wilson		 	cwilson@sgi.com
 //  Enterprise Network Services	+1-650-933-9515