On Tue, May 13, 2014 at 2:55 AM, Phil Daws <[email protected]> wrote: > Hello, > > am trying to integrate Fluentd (td-agent) with OSSECs JSON syslog output but > having issues with how the message is emitted. When it arrives in td-agent > it looks like: > > 20140513T011505+0100 ips.ossec.reformed {"host":"tstsrv1", > ident":"ossec","message":"{ \"crit\": 7, \"id\": 510, \"description\": > \"Host-based anomaly detection event (rootcheck).\", \"component\": > \"(vsp1.testdomain1.local) 192.168.8.3->rootcheck\", \"classification\": \" > ossec,rootcheck,\", \"message\": \"Process '748' hidden from kill (0) or > getsid (1). Possible kernel-level rootkit.\" }"} > > and the problem comes when trying to use the parser plugin to do something > like: > > ossec_id ${id} > > as what ends up in ${ossec_id} is ":", so the "\" is being included as a JSON > field. I have looked at the os_csyslogd.c code and this is part of the block > causing the issue: > > > snprintf(syslog_msg, OS_SIZE_2048 - padding, > "<%d>%s %s ossec: { \"crit\": %d, \"id\": %d, > \"description\": \"%s\", \"component\": \"%s\",", > > /* syslog header */ > syslog_config->priority, tstamp, __shost, > > /* OSSEC metadata */ > al_data->level, al_data->rule, json_safe_comment, > al_data->location > ); > > how can the code be change so that it does not emit the 'escaping' characters > ? > > Thanks, Phil >
Are you using 2.7.1? If so, try the 2.8 beta code. I think there's been some work in this area. > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
