[syslog-ng] template-escape option and tabs problem
Manuel Mora
manuelmora at gmail.com
Thu Sep 7 08:43:46 CEST 2006
Hi, I'm using syslog-ng as a central logging server, we are
redirectioning some machine's logs to a FIFO pipe that is connected to
a MySQL DB via a bash script (the typical syslog-ng , MySQL and
php-syslog-ng scenario).
destination d_mysql {
pipe("/tmp/mysql.pipe"
template("INSERT INTO logs (host, facility, priority, level, tag,
datetime, program, msg)
VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG',
'$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC', '$PROGRAM', '$MSG' );\n")
template-escape(yes));
};
Our Windows machines are forwarding logs to the central logging server
using SNARE and SNARE uses horizontal tabs as field separator. Early
we started to notice that the messages had a strange format in our DB
so we redirectioned logs to a file using the same template to check
for problems.
In the field corresponding to '$MSG' we obtained the next message
(with \011\ instead of tabs) :
'EMGDCW502.esp.e-corpnet.org\011MSWinEventLog\0111\011Security\01111688642\011Wed
Sep 06 11:20:06 2006\011540\011Security\011ANONYMOUS LOGON\011Well
Known Group\011Success
Audit\011EMGDCW502\011Logon/Logoff\011\011Successful Network Logon:
User Name: Domain: Logon ID: (0x1,0xFAC17236) Logon
Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM
Workstation Name: EMCANW501 Logon GUID: - Caller User Name:
- Caller Domain: - Caller Logon ID: - Caller Process ID: -
Transited Services: - Source Network Address: 10.210.32.230
Source Port: 0 \01111688641'
If we use template-escape(no) the message was received correctly so
there is a problem with the parsing when template-escape is set to
yes, it affects tab characters and it should affect only to ' and "
characters.
Are there any solutions for this?
Best Regards.
Manuel Mora
More information about the syslog-ng
mailing list