On 03/06/2015 01:15 PM, Botond Botyanszki wrote: > The first date is the syslog header. As per RFC3164 it should have a > single digit date: > "If the day of the month is less > than 10, then it MUST be represented as a space and then the > number. For example, the 7th day of August would be > represented as "Aug 7", with two spaces between the "g" and > the "7"." > > Probably many syslog implementations are able to parse it with double > digits but to not break standards compliance you should be only replacing > the second, i.e. the value in snare timestamp field.
Well, I'm pretty sure my last attempt was wrong. I think $EventTime as it relates to to_syslog_snare is the same value in the Snare timestamp part of the log as it is in the syslog header. replace() seems to be global and I'm guessing that the option to add the integer at the end for n occurrences reads the log from left-to-right. I'm not sure how I would tell it to replace only the second occurrence, so perhaps it can be written this way, such that it "rewrites" the first occurrence with the same value, then actually does something to the second. Unless there's a better way? <Output out> Module om_tcp Host XX.XX.XX.XX Port 514 Exec to_syslog_snare();\ $raw_event = replace ($raw_event, ' ', ' ', 1);\ $raw_event = replace ($raw_event, ' ', ' 0', 1); </Output> ------------------------------------------------------------------------------ _______________________________________________ nxlog-ce-users mailing list nxlog-ce-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nxlog-ce-users
