[syslog-ng] Snare TAB characters converted to \011 are missing?
Clayton Dukes
cdukes at gmail.com
Wed Jun 6 17:47:44 CEST 2012
Hi All,
I have a user receiving messages from Snare but, for some reason, syslog-ng
doesn't appear to be converting the TAB characters properly.
Snare sends messages as:
HostName<TAB>MSWinEventLog<TAB>Criticality<TAB>EventLogSource<TAB>SnareCounter<TAB>SubmitTime<TAB>EventID<TAB>SourceName<TAB>UserName<TAB>SIDType<TAB>EventLogType<TAB>ComputerName<TAB>CategoryString<TAB>DataString<TAB>ExpandedString<TAB>MD5
checksum (optional)
I have verified using a sniffer on the syslog-ng server that the message
format is coming in correctly with the TABs, but somehow the messages are
leaving syslog-ng as:
...snip (full message clipped for brevity)
Tue Jun 05 11:09:27 2012592SecuritySYSTEMUserSuccess Audit
...snip
In the example above, it should be:
Tue Jun 05 11:09:27 2012\011592\011Security\011SYSTEM\011User\011Success
Audit
I've checked his syslog-ng.conf file and it is the normal one that comes
with Ubuntu 12.4 LTS.
Any idea what might be causing this?
______________________________________________________________
Clayton Dukes
______________________________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20120606/3763a068/attachment.htm
More information about the syslog-ng
mailing list