LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 01-05-2009, 01:56 AM   #1
hattori.hanzo
Member
 
Registered: Aug 2006
Posts: 168

Rep: Reputation: 15
syslog-ng & Snare - \011\ instead of tabs


We have an issue with syslog-ng and the Snare Windows EventLog to Syslog agent.

The Snare messages are not being parsed properly when entered into our mysql database. A good explanation could be found here. Snippet below:

Quote:
In the field corresponding to '$MSG' we obtained the next message
(with \011\ instead of tabs) :

'EMGDCW502.esp.e-corpnet.org\011MSWinEventLog\0111\011Security\01111688642\011Wed
Sep 06 11:20:06 2006\011540\011Security\011ANONYMOUS LOGON\011Well
Known Group\011Success
Audit\011EMGDCW502\011Logon/Logoff\011\011Successful Network Logon:
User Name: Domain: Logon ID: (0x1,0xFAC17236) Logon
Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM
Workstation Name: EMCANW501 Logon GUID: - Caller User Name:
- Caller Domain: - Caller Logon ID: - Caller Process ID: -
Transited Services: - Source Network Address: 10.210.32.230
Source Port: 0 \01111688641'
We have upgraded both the syslog-ng and eventlog components to the latest avaliable on our platform - CentOS 5.2.

eventlog-0.2.7-1.el5.i386.rpm
syslog-ng-2.1.3-1.el5.i386.rpm

The only workaround we have at the moment so the syslog messages are readable are to disable escape characters (template-escape(no) in syslog-ng.conf.

Code:
destination d_mysql {
      pipe("/var/log/mysql.pipe"
              template("INSERT INTO logs
              (host, facility, priority, level, tag, datetime, program, msg)
              VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC',
              '$PROGRAM', '$MSG' );\n") template-escape(no));
But then this of course removes all backslashes (\) in the messages so is not a perfect workaround/fix.

regards,
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Any way to disable firefox 1.5 drag & drop tabs? fannymites Linux - Software 1 12-24-2005 12:16 AM
Show LFs & TABs in listing text files fiomba Linux - Software 0 12-02-2005 03:58 AM
sitecom WL-011 PCMCIA on Redhat9 ikkuh Linux - Wireless Networking 3 06-17-2004 03:40 PM
Sitecom wireless card (WL-011) Jay_highlands Linux - Wireless Networking 0 07-31-2003 09:03 PM
Snare for SuSE 8.2? rodda Linux - Software 0 05-11-2003 02:16 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 01:10 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration