On Tue Oct 27 04:32 PM, [email protected] wrote: > On Tue, 27 Oct 2009, Martin Mielke wrote: > > > Hi, > > > > We recently started to receive logs from a Snare client. > > I applied the configuration changes proposed here: > > http://wiki.rsyslog.com/index.php/Using_Snare_as_a_client_on_Windows > > I just got a chance to read this, and I disagree with it's > recommendation > > the #011 is a tab. > > snare uses it to seperate fields from the windows event log. > > if you just replace it with a space you loose the ability to do things > like look for field 10 because field 8 may contain spaces. > > In addition there are two formats of logs that snare can output to > syslog > > 1. the snare format > 2. 'syslog' format > > the difference seems to be that in snare format it does > > Jan 1 01:01:01 > mail.abc.com#011MSWinEventLog#0111#011Security#0114169#011Fri > > while in syslog format it does > > Jan 1 01:01:01 mail.abc.com MSWinEventLog#011Security#0114169#011Fri > >
Basically rsyslogd should respect RFC 3164 (Any non-alphanumeric character will terminate the TAG field and will be assumed to be the starting character of the CONTENT field.) The result would be: TAG: '' MSG: '#011MSWinEventLog#0111#011Security#0114169#011Fri...' At least I think, any thoughts Rainer? The following works for me: // If first character not alpha-numeric, skip tag parsing if( !isalphanum((int)*p2parse) ) bTAGCharDetected = 1; Is this bad for other loggers? _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
