On Wed, 28 Oct 2009, Jonathan Bond-Caron wrote: > On Tue Oct 27 04:32 PM, [email protected] wrote: >> On Tue, 27 Oct 2009, Martin Mielke wrote: >> >>> Hi, >>> >>> We recently started to receive logs from a Snare client. >>> I applied the configuration changes proposed here: >>> http://wiki.rsyslog.com/index.php/Using_Snare_as_a_client_on_Windows >> >> I just got a chance to read this, and I disagree with it's >> recommendation >> >> the #011 is a tab. >> >> snare uses it to seperate fields from the windows event log. >> >> if you just replace it with a space you loose the ability to do things >> like look for field 10 because field 8 may contain spaces. >> >> In addition there are two formats of logs that snare can output to >> syslog >> >> 1. the snare format >> 2. 'syslog' format >> >> the difference seems to be that in snare format it does >> >> Jan 1 01:01:01 >> mail.abc.com#011MSWinEventLog#0111#011Security#0114169#011Fri >> >> while in syslog format it does >> >> Jan 1 01:01:01 mail.abc.com MSWinEventLog#011Security#0114169#011Fri >> >> > > Basically rsyslogd should respect RFC 3164 (Any non-alphanumeric character > will terminate the TAG field and will be assumed to be the starting > character of the CONTENT field.) > > The result would be: > TAG: '' > MSG: '#011MSWinEventLog#0111#011Security#0114169#011Fri...' > > At least I think, any thoughts Rainer? > > The following works for me: > // If first character not alpha-numeric, skip tag parsing > if( !isalphanum((int)*p2parse) ) > bTAGCharDetected = 1; > > Is this bad for other loggers?
if it stops on the tab it should end up hostname =vmail.abc.com then it hits a tab, so stops putting things as part of the hostname tag =vMSWinEventLog then it hits a tab, so stops putting things as part of the tag message = 1#011Security#0114169#011Fri... David Lang _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
