[syslog-ng] OSE 3.7.2 questions

Scheidler, Balázs balazs.scheidler at balabit.com
Fri Nov 13 14:02:08 CET 2015


-- 
Bazsi

On Fri, Nov 13, 2015 at 1:43 PM, Fekete, Róbert <robert.fekete at balabit.com>
wrote:

> Hi,
>
> I've seen that you had a few patches merged to 3.7.2, and I'm not sure
> what to include in the docs about them:
>
>  - There were some csv-parser changes, is any of them user-visible?
>

well, not that much. the only user-visible change is that the contents of
the delimiters() option can now come in any order, whereas it required a
specified order before (chars and then strings), but I think that never was
intended, and is probably not documented either.

There are new features in csv-parser() in current master though (which is
going to be published as 3.8)


>  - What does linux-audit-parser do? Does it require any configuration, or
> it just works?
>

it processes the format produced by auditd. It has two options:


   - template() same as with other parsers, it specifies the input to be
   parsed (defaults to $MSG like everywhere else)
   - prefix() specifies the name-value prefix to be prepended to values
   parsed (defaults to the empty string).

The some fields in the audit log are encoded in hexadecimal form if they
contain space or non-printable characters. linux-audit-parser() will
automatically decode these fields,

  "name",
  "proctitle",
  "path",
  "dir",
  "comm",
  "ocomm",
  "data",
  "old",
  "new",

and a hard-coded pattern (a[:digits:]* will be decoded as well), the rest
is kept intact.


>
> Thanks!
>
> Robert
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20151113/b0bce147/attachment.htm 


More information about the syslog-ng mailing list