[syslog-ng] [Bug 131] New: XML tags being stripped

Wed Aug 24 18:49:29 CEST 2011

https://bugzilla.balabit.com/show_bug.cgi?id=131

           Summary: XML tags being stripped
           Product: syslog-ng
           Version: 3.0.x
          Platform: All
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: unspecified
         Component: syslog-ng
        AssignedTo: bazsi at balabit.hu
        ReportedBy: jsu2 at emory.edu
Type of the Report: bug
   Estimated Hours: 0.0

Is there a known bug where syslog-ng arbitrarily strips xml tags from log messages?  That is, some of our logs output xml, and syslog-ng seems to be stripping
some of these tags before writing them.  In particular, we have syslog-ng client configured to read from a local log file, send the log file to the syslog-ng
server.  The server does some basic csv parsing before writing it out.  If this problem is fixed in a newer version, please let me know which version.

Here's what the original log file should look like:

2011-08-24 12:00:02,685 INFO [Thread-35674] - [MessageIdentificationSyncCommand] Processing message <?xml version="1.0" encoding="UTF-8"?>

<PurchaseOrderMessage version="2.2">

<Header>

<MessageId>3125206c-5063-4465-a020-0131fc850885</MessageId>

<Timestamp>2011-08-24T12:00:02.183-04:00</Timestamp>

<Authentication>

<Identity>Emory</Identity>

<SharedSecret>PO$xport</SharedSecret>

</Authentication>

</Header>

<PurchaseOrder>

<POHeader id="16972984">

<WorkflowStatus status="Completed" />

<SupplierStatus status="SentToSupplier">

<HasBackorderedItems>false</HasBackorderedItems>

<HasCancelledItems>false</HasCancelledItems>

<HasSupplierEdits>false</HasSupplierEdits>

<HasShippedItems>false</HasShippedItems>

</SupplierStatus>

<APStatus status="Close" />

<RevisionNumber>1</RevisionNumber>

<RevisionDate>2011-08-24T11:54:10.745-04:00</RevisionDate>

<PONumber>S660540</PONumber>

<AlternatePONumber />

<Requestor>

<UserProfile username="nbonus">

<FirstName>Nancy</FirstName>

<LastName>Doe</LastName>

<Email>ndoe at mydomain.bogus</Email>

<Phone>

<TelephoneNumber>

<CountryCode>1</CountryCode>

<AreaCode>555</AreaCode>

<Number>5552765</Number>

</TelephoneNumber>

</Phone>

<Department>My Department</Department>

But, it shows up on syslog-ng server as:

intesbprod1 [10857]: Error processing log message: <PurchaseOrderMessage version="2.2">
intesbprod1 : 
intesbprod1 : 
intesbprod1 : 00:02.183-04:00</Timestamp>
intesbprod1 : 
intesbprod1 : 
intesbprod1 : 
intesbprod1 : 
intesbprod1 : 
intesbprod1 : 
intesbprod1 : id="16972984">
intesbprod1 : status="Completed" />
intesbprod1 : status="SentToSupplier">
intesbprod1 : 
intesbprod1 : 
intesbprod1 : 
intesbprod1 : 
intesbprod1 : 
intesbprod1 : status="Close" />
intesbprod1 : 
intesbprod1 : 54:10.745-04:00</RevisionDate>
intesbprod1 : 
intesbprod1 : />
intesbprod1 : 
intesbprod1 : username="ndoe">
intesbprod1 : 
intesbprod1 : 
intesbprod1 : 
intesbprod1 : 
intesbprod1 : 
intesbprod1 : 
intesbprod1 : 
intesbprod1 : 
intesbprod1 : 
intesbprod1 : 
intesbprod1 : My Department</Department>

Here's how the client is configured:
source s_RoutingService { 
        file("/opt/openeai/dev/logs/RoutingService.log" program_override("EnterpriseServiceBus RoutingService.log dev ")); 
}; 

source s_axis2 {
        file("/var/log/jboss/axis2.log" program_override("JBoss axis2.log qa "));
};

###################### 
# logging rules      # 
###################### 
log { source(s_RoutingService); destination(d_net);} ; 
log { source(s_axis2); destination(d_net);} ; 

Here's how the server is configured:
filter f_apps  {
    program("EnterpriseServiceBus" flags ("ignore-case")) or
    program("JBoss" flags ("ignore-case")) or
    program("SonicMQ" flags ("ignore-case"));
};
template t_apps { template("$SHOST ${ESB.MSG}\n"); };
parser p_apps  { csv-parser(columns("ESB.LOG","ESB.DIR","ESB.MSG") delimiters(" ") flags(greedy, escape-none)); };
destination d_apps { file("/var/UTS/actv/$R_YEAR-$R_MONTH-$R_DAY/apps/$PROGRAM/${ESB.DIR}/${ESB.LOG}" create_dirs(yes) template(t_apps)); };

log { source(s_net); parser(p_shost);
    log { filter(f_systems);
        .
        .
        .
        log { filter(f_apps); parser(p_apps); destination(d_apps); flags(final); };
        log { destination(d_srvr_mesg); flags(final); };
    };
};

-- 
Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.