[syslog-ng] Snare TAB characters converted to \011 are missing?
Clayton Dukes
cdukes at gmail.com
Thu Jun 7 15:01:22 CEST 2012
Anyone have any idea?
______________________________________________________________
Clayton Dukes
______________________________________________________________
On Wed, Jun 6, 2012 at 11:47 AM, Clayton Dukes <cdukes at gmail.com> wrote:
> Hi All,
> I have a user receiving messages from Snare but, for some reason,
> syslog-ng doesn't appear to be converting the TAB characters properly.
>
> Snare sends messages as:
> HostName<TAB>MSWinEventLog<TAB>Criticality<TAB>EventLogSource<TAB>SnareCounter<TAB>SubmitTime<TAB>EventID<TAB>SourceName<TAB>UserName<TAB>SIDType<TAB>EventLogType<TAB>ComputerName<TAB>CategoryString<TAB>DataString<TAB>ExpandedString<TAB>MD5
> checksum (optional)
>
> I have verified using a sniffer on the syslog-ng server that the message
> format is coming in correctly with the TABs, but somehow the messages are
> leaving syslog-ng as:
>
> ...snip (full message clipped for brevity)
> Tue Jun 05 11:09:27 2012592SecuritySYSTEMUserSuccess Audit
> ...snip
>
> In the example above, it should be:
> Tue Jun 05 11:09:27 2012\011592\011Security\011SYSTEM\011User\011Success
> Audit
>
> I've checked his syslog-ng.conf file and it is the normal one that comes
> with Ubuntu 12.4 LTS.
> Any idea what might be causing this?
>
> ______________________________________________________________
>
> Clayton Dukes
> ______________________________________________________________
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20120607/95816f08/attachment.htm
More information about the syslog-ng
mailing list