[syslog-ng] Syslog-ng relay: how to delete or modify special character ^M?

Mon Dec 4 15:30:10 UTC 2017

Hi Alain!

You can replace unwanted special characters by using rewrite rules is
syslog-ng.
https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-
ose-guide-admin/html/rewrite-replace.html
Rewrite rules accept regular expressions as search pattern.
Please check regular expression options (e.g. use global flags to replace
all instances).
Example:
    rewrite{ subst("\r", " ", flags("global"));  };

https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/regular-expressions.html

Best regards,
Gabor

On Mon, Dec 4, 2017 at 3:33 PM, <alain.villefranque at orange.com> wrote:

> Hi all,
>
>
>
> I have an issue with the character Carriage Return (^M) inserted by the
> Syslog source machine.
>
> I try to substitute or rewrite this special character with syslog-ng
> relay, but it is impossible to modify it, it seems this char is invisible
> for the program.
>
> I’ve tried to modified it with either with ^M or 0xD char with no success.
>
>
>
> Example of received message:
>
>
>
> Dec  4 13:35:23 conf01 2017-12-04 13:35:23,561 Level="INFO"
> Name="support.sip" Message="Sending SIP response" Src-address="80.12.yy.xx"
> Src-port="5061" Dst-address="161.105.yy.xx" Dst-port="38509"
> Transport="TLS"
>
> Detail*="^M*SIP/2.0 403 Forbidden*^M*Via: SIP/2.0/TLS 161.105.150.12:38509
> ;alias;branch=z9hG4bK.MEgSOM8O4;rport=38509;received=161.105.150.12*^M*From:
> <sip:SondeSQS_001!@int.ovp.orange-business.com>;tag=5kYhVMAyi^MTo:
> sip:SondeSQS_001!@int.ovp.orange-business.com;tag=aynkBKUjt0pXHzNv*^M*CSeq:
> 25 REGISTER*^M*Call-ID: Vhihsb~BhQ*^M*Allow:
> INVITE,ACK,OPTIONS,CANCEL,BYE,REGISTER,INFO,SUBSCRIBE,NOTIFY,MESSAGE*^M*Supported:
> categoryList,adhoclist,sdp-anat,replaces^MContent-Length: 0*^M^M*"
>
>
>
> I’d like to suppress *^M* or replace it with a “space” char.
>
>
>
> Is there any specific action to do in order to modify ^M special character
> ?
>
>
>
> Regards
>
>
>
> Alain
>
>
>
>
>
> _________________________________________________________________________________________________________________________
>
> Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
> pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
> a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
> Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
>
> This message and its attachments may contain confidential or privileged information that may be protected by law;
> they should not be distributed, used or copied without authorisation.
> If you have received this email in error, please notify the sender and delete this message and its attachments.
> As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
> Thank you.
>
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20171204/1d629b05/attachment.html>