We have an issue with syslog-ng and the Snare Windows EventLog to Syslog agent.
The Snare messages are not being parsed properly when entered into our mysql database. A good explanation could be found
here. Snippet below:
Quote:
In the field corresponding to '$MSG' we obtained the next message
(with \011\ instead of tabs) :
'EMGDCW502.esp.e-corpnet.org\011MSWinEventLog\0111\011Security\01111688642\011Wed
Sep 06 11:20:06 2006\011540\011Security\011ANONYMOUS LOGON\011Well
Known Group\011Success
Audit\011EMGDCW502\011Logon/Logoff\011\011Successful Network Logon:
User Name: Domain: Logon ID: (0x1,0xFAC17236) Logon
Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM
Workstation Name: EMCANW501 Logon GUID: - Caller User Name:
- Caller Domain: - Caller Logon ID: - Caller Process ID: -
Transited Services: - Source Network Address: 10.210.32.230
Source Port: 0 \01111688641'
|
We have upgraded both the syslog-ng and eventlog components to the latest avaliable on our platform -
CentOS 5.2.
eventlog-0.2.7-1.el5.i386.rpm
syslog-ng-2.1.3-1.el5.i386.rpm
The only workaround we have at the moment so the syslog messages are readable are to disable escape characters (template-escape(no) in syslog-ng.conf.
Code:
destination d_mysql {
pipe("/var/log/mysql.pipe"
template("INSERT INTO logs
(host, facility, priority, level, tag, datetime, program, msg)
VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC',
'$PROGRAM', '$MSG' );\n") template-escape(no));
But then this of course removes all backslashes (\) in the messages so is not a perfect workaround/fix.
regards,