[syslog-ng] template-escape option and tabs problem

Hari Sekhon hpsekhon at googlemail.com
Fri Sep 22 10:25:36 CEST 2006 

what version of syslog-ng are you using?

-h


Manuel Mora wrote:
> Hi, I'm using syslog-ng as a central logging server, we are
> redirectioning some machine's logs to a FIFO pipe that is connected to
> a MySQL DB via a bash script (the typical syslog-ng , MySQL and
> php-syslog-ng scenario).
>
>
> destination d_mysql {
>  pipe("/tmp/mysql.pipe"
>  template("INSERT INTO logs (host, facility, priority, level, tag,
> datetime, program, msg)
>  VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG',
> '$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC', '$PROGRAM', '$MSG' );\n")
>  template-escape(yes));
> };
>
> Our Windows machines are forwarding logs to the central logging server
> using SNARE and SNARE uses horizontal tabs as field separator. Early
> we started to notice that the messages had a strange format in our DB
> so we redirectioned logs to a file using the same template to check
> for problems.
>
> In the field corresponding to '$MSG' we obtained the next message
> (with \011\ instead of tabs) :
>
> 'EMGDCW502.esp.e-corpnet.org\011MSWinEventLog\0111\011Security\01111688642\011Wed 
>
> Sep 06 11:20:06 2006\011540\011Security\011ANONYMOUS LOGON\011Well
> Known Group\011Success
> Audit\011EMGDCW502\011Logon/Logoff\011\011Successful Network Logon:
> User Name:      Domain:      Logon ID: (0x1,0xFAC17236)     Logon
> Type: 3     Logon Process: NtLmSsp      Authentication Package: NTLM
>  Workstation Name: EMCANW501     Logon GUID: -     Caller User Name:
> -     Caller Domain: -     Caller Logon ID: -     Caller Process ID: -
>    Transited Services: -     Source Network Address: 10.210.32.230
> Source Port: 0    \01111688641'
>
> If we use template-escape(no) the message was received correctly so
> there is a problem with the parsing when template-escape is set to
> yes, it affects tab characters and it should affect only to ' and "
> characters.
>
> Are there any solutions for this?
>
>
> Best Regards.
> Manuel Mora
> _______________________________________________
> syslog-ng maillist  -  syslog-ng at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
>
>


-- 
Hari Sekhon

More information about the syslog-ng mailing list