[syslog-ng] Syslog-ng relay: how to delete or modify special character ^M?

alain.villefranque at orange.com alain.villefranque at orange.com
Tue Dec 5 13:03:15 UTC 2017


Hi Gabor,

Thanks for your help.

I’ve tried in different way without success:

rewrite r_rewrite_subst_CR {
   subst('\r\n'," ",value("MESSAGE"), flags("global"));
   subst('^M'," ",value("MESSAGE"), flags("global"));
   subst("^M"," ",value("MESSAGE"), flags("global"));
   subst("\r\n"," ",value("MESSAGE"), flags("global"));
   subst('\r'," ",value("MESSAGE"), flags("global"));
   subst("\r"," ",value("MESSAGE"), flags("global"));
   subst("Detail","COUCOU",value("MESSAGE"), flags("global"));
};

You will see in the attached file that this rewrite rule has no effect on the received message specifically against the ^M character….

Do you have any other advice to provide me?

Thanks,

Regards

Alain


De : syslog-ng [mailto:syslog-ng-bounces at lists.balabit.hu] De la part de Nagy, Gábor
Envoyé : lundi 4 décembre 2017 16:30
À : Syslog-ng users' and developers' mailing list
Cc : RAMBERT Christophe IMT/OLS
Objet : Re: [syslog-ng] Syslog-ng relay: how to delete or modify special character ^M?

Hi Alain!

You can replace unwanted special characters by using rewrite rules is syslog-ng.
https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/rewrite-replace.html
Rewrite rules accept regular expressions as search pattern.
Please check regular expression options (e.g. use global flags to replace all instances).
Example:
    rewrite{ subst("\r", " ", flags("global"));  };

https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/regular-expressions.html

Best regards,
Gabor


On Mon, Dec 4, 2017 at 3:33 PM, <alain.villefranque at orange.com<mailto:alain.villefranque at orange.com>> wrote:
Hi all,

I have an issue with the character Carriage Return (^M) inserted by the Syslog source machine.
I try to substitute or rewrite this special character with syslog-ng relay, but it is impossible to modify it, it seems this char is invisible for the program.
I’ve tried to modified it with either with ^M or 0xD char with no success.

Example of received message:

Dec  4 13:35:23 conf01 2017-12-04 13:35:23,561 Level="INFO" Name="support.sip" Message="Sending SIP response" Src-address="80.12.yy.xx" Src-port="5061" Dst-address="161.105.yy.xx" Dst-port="38509" Transport="TLS"
Detail="^MSIP/2.0 403 Forbidden^MVia: SIP/2.0/TLS 161.105.150.12:38509;alias;branch=z9hG4bK.MEgSOM8O4;rport=38509;received=161.105.150.12^MFrom:  <sip:SondeSQS_001!@int.ovp.orange-business.com<http://int.ovp.orange-business.com>>;tag=5kYhVMAyi^MTo: sip:SondeSQS_001!@int.ovp.orange-business.com<http://int.ovp.orange-business.com>;tag=aynkBKUjt0pXHzNv^MCSeq: 25 REGISTER^MCall-ID: Vhihsb~BhQ^MAllow: INVITE,ACK,OPTIONS,CANCEL,BYE,REGISTER,INFO,SUBSCRIBE,NOTIFY,MESSAGE^MSupported: categoryList,adhoclist,sdp-anat,replaces^MContent-Length: 0^M^M"

I’d like to suppress ^M or replace it with a “space” char.

Is there any specific action to do in order to modify ^M special character ?

Regards

Alain



_________________________________________________________________________________________________________________________



Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc

pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler

a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,

Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.



This message and its attachments may contain confidential or privileged information that may be protected by law;

they should not be distributed, used or copied without authorisation.

If you have received this email in error, please notify the sender and delete this message and its attachments.

As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.

Thank you.

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq



_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20171205/ef16b78c/attachment-0001.html>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: syslog-ng -Fevd.txt
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20171205/ef16b78c/attachment-0001.txt>


More information about the syslog-ng mailing list