[syslog-ng] template-escape option and tabs problem

Hari Sekhon hpsekhon at googlemail.com
Fri Sep 22 18:54:27 CEST 2006 

Manuel Mora wrote:
> Hi Hari, I'm using 2.0rc but I have solved the problem. I have
> modified macros.c, line 127, it scapes all characters that are littler
> than ' ' (space), I just added a new condition to avoid tabs scaping.
>
> Best Regards.
>
> On 9/22/06, Hari Sekhon <hpsekhon at googlemail.com> wrote:
>> what version of syslog-ng are you using?
>>
>> -h
>>
>>
>> Manuel Mora wrote:
>> > Hi, I'm using syslog-ng as a central logging server, we are
>> > redirectioning some machine's logs to a FIFO pipe that is connected to
>> > a MySQL DB via a bash script (the typical syslog-ng , MySQL and
>> > php-syslog-ng scenario).
>> >
>> >
>> > destination d_mysql {
>> >  pipe("/tmp/mysql.pipe"
>> >  template("INSERT INTO logs (host, facility, priority, level, tag,
>> > datetime, program, msg)
>> >  VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG',
>> > '$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC', '$PROGRAM', '$MSG' );\n")
>> >  template-escape(yes));
>> > };
>> >
>> > Our Windows machines are forwarding logs to the central logging server
>> > using SNARE and SNARE uses horizontal tabs as field separator. Early
>> > we started to notice that the messages had a strange format in our DB
>> > so we redirectioned logs to a file using the same template to check
>> > for problems.
>> >
>> > In the field corresponding to '$MSG' we obtained the next message
>> > (with \011\ instead of tabs) :
>> >
>> > 
>> 'EMGDCW502.esp.e-corpnet.org\011MSWinEventLog\0111\011Security\01111688642\011Wed 
>>
>> >
>> > Sep 06 11:20:06 2006\011540\011Security\011ANONYMOUS LOGON\011Well
>> > Known Group\011Success
>> > Audit\011EMGDCW502\011Logon/Logoff\011\011Successful Network Logon:
>> > User Name:      Domain:      Logon ID: (0x1,0xFAC17236)     Logon
>> > Type: 3     Logon Process: NtLmSsp      Authentication Package: NTLM
>> >  Workstation Name: EMCANW501     Logon GUID: -     Caller User Name:
>> > -     Caller Domain: -     Caller Logon ID: -     Caller Process ID: -
>> >    Transited Services: -     Source Network Address: 10.210.32.230
>> > Source Port: 0    \01111688641'
>> >
>> > If we use template-escape(no) the message was received correctly so
>> > there is a problem with the parsing when template-escape is set to
>> > yes, it affects tab characters and it should affect only to ' and "
>> > characters.
>> >
>> > Are there any solutions for this?
>> >
>> >
>> > Best Regards.
>> > Manuel Mora
>> > _______________________________________________
>> > syslog-ng maillist  -  syslog-ng at lists.balabit.hu
>> > https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> > Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
>> >
>> >
>>
>>
>> -- 
>> Hari Sekhon
>>
>> _______________________________________________
>> syslog-ng maillist  -  syslog-ng at lists.balabit.hu
>> https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
>>
>>
> _______________________________________________
> syslog-ng maillist  -  syslog-ng at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
>
>
I guess this really shows the beauty of open source, you can fix it 
yourself!

good on you.

-h

-- 
Hari Sekhon

More information about the syslog-ng mailing list