Hello,
am trying to integrate Fluentd (td-agent) with OSSECs JSON syslog output but
having issues with how the message is emitted. When it arrives in td-agent it
looks like:
20140513T011505+0100 ips.ossec.reformed {"host":"tstsrv1",
ident":"ossec","message":"{ \"crit\": 7, \"id\": 510, \"description\":
\"Host-based anomaly detection event (rootcheck).\", \"component\":
\"(vsp1.testdomain1.local) 192.168.8.3->rootcheck\", \"classification\": \"
ossec,rootcheck,\", \"message\": \"Process '748' hidden from kill (0) or getsid
(1). Possible kernel-level rootkit.\" }"}
and the problem comes when trying to use the parser plugin to do something like:
ossec_id ${id}
as what ends up in ${ossec_id} is ":", so the "\" is being included as a JSON
field. I have looked at the os_csyslogd.c code and this is part of the block
causing the issue:
snprintf(syslog_msg, OS_SIZE_2048 - padding,
"<%d>%s %s ossec: { \"crit\": %d, \"id\": %d, \"description\":
\"%s\", \"component\": \"%s\",",
/* syslog header */
syslog_config->priority, tstamp, __shost,
/* OSSEC metadata */
al_data->level, al_data->rule, json_safe_comment,
al_data->location
);
how can the code be change so that it does not emit the 'escaping' characters ?
Thanks, Phil
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
