[syslog-ng] template-escape option and tabs problem

Manuel Mora manuelmora at gmail.com
Fri Sep 22 18:01:02 CEST 2006 

Hi Hari, I'm using 2.0rc but I have solved the problem. I have
modified macros.c, line 127, it scapes all characters that are littler
than ' ' (space), I just added a new condition to avoid tabs scaping.

Best Regards.

On 9/22/06, Hari Sekhon <hpsekhon at googlemail.com> wrote:
> what version of syslog-ng are you using?
>
> -h
>
>
> Manuel Mora wrote:
> > Hi, I'm using syslog-ng as a central logging server, we are
> > redirectioning some machine's logs to a FIFO pipe that is connected to
> > a MySQL DB via a bash script (the typical syslog-ng , MySQL and
> > php-syslog-ng scenario).
> >
> >
> > destination d_mysql {
> >  pipe("/tmp/mysql.pipe"
> >  template("INSERT INTO logs (host, facility, priority, level, tag,
> > datetime, program, msg)
> >  VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG',
> > '$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC', '$PROGRAM', '$MSG' );\n")
> >  template-escape(yes));
> > };
> >
> > Our Windows machines are forwarding logs to the central logging server
> > using SNARE and SNARE uses horizontal tabs as field separator. Early
> > we started to notice that the messages had a strange format in our DB
> > so we redirectioned logs to a file using the same template to check
> > for problems.
> >
> > In the field corresponding to '$MSG' we obtained the next message
> > (with \011\ instead of tabs) :
> >
> > 'EMGDCW502.esp.e-corpnet.org\011MSWinEventLog\0111\011Security\01111688642\011Wed
> >
> > Sep 06 11:20:06 2006\011540\011Security\011ANONYMOUS LOGON\011Well
> > Known Group\011Success
> > Audit\011EMGDCW502\011Logon/Logoff\011\011Successful Network Logon:
> > User Name:      Domain:      Logon ID: (0x1,0xFAC17236)     Logon
> > Type: 3     Logon Process: NtLmSsp      Authentication Package: NTLM
> >  Workstation Name: EMCANW501     Logon GUID: -     Caller User Name:
> > -     Caller Domain: -     Caller Logon ID: -     Caller Process ID: -
> >    Transited Services: -     Source Network Address: 10.210.32.230
> > Source Port: 0    \01111688641'
> >
> > If we use template-escape(no) the message was received correctly so
> > there is a problem with the parsing when template-escape is set to
> > yes, it affects tab characters and it should affect only to ' and "
> > characters.
> >
> > Are there any solutions for this?
> >
> >
> > Best Regards.
> > Manuel Mora
> > _______________________________________________
> > syslog-ng maillist  -  syslog-ng at lists.balabit.hu
> > https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
> >
> >
>
>
> --
> Hari Sekhon
>
> _______________________________________________
> syslog-ng maillist  -  syslog-ng at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
>
>

More information about the syslog-ng mailing list