nxlog embedding carriage returns and newlines in IETF syslog
Hello, I am using nxlog-ce 3.2.2329 on a Windows 10 system to forward logs to a syslog-ng server over TCP using the to_syslog_ietf() procedure. This is working well for most logs, but I am occasionally seeing logs being generated with carriage returns and newlines in the syslog structured data element. Here is an example captured from tcpdump. Note that this is just the beginning of the message, enough to show you where the cr lf's are in the PrivilegeList element:
<14>1 2023-10-18T16:23:21.669254-04:00 SteveAcer Microsoft-Windows-Security-Auditing 952 - [NXLOG@14506 Keywords="-9214364837600034816" EventType="AUDIT_SUCCESS" EventID="4672" ProviderGuid="{54849625-5478-4994-A5BA-3E3B0328C30D}" Version="0" Task="12548" OpcodeValue="0" RecordNumber="2053808" ActivityID="{FE9334EF-0152-0002-AD35-93FE5201DA01}" ThreadID="30200" Channel="Security" Category="Special Logon" Opcode="Info" SubjectUserSid="S-1-5-18" SubjectUserName="SYSTEM" SubjectDomainName="NT AUTHORITY" SubjectLogonId="0x3e7" PrivilegeList="SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeDelegateSessionUserImpersonatePrivilege" EventReceivedTime="2023-10-18 16:23:23"
The body of the message has cr lf's converted to spaces. In the documentation, I see reference to a ReplaceLineBreaks
directive that defaults to converting the cr lfs to spaces, but that doesn't appear to apply to the syslog structured data. Is there a way I can remove these cr lfs from the PrivilegeList,
or any element? My nxlog.conf is below:
<Input eventlog>
Module im_msvistalog
</Input>
<Output tcp>
Module om_tcp
Host 172.16.200.1
Exec to_syslog_ietf();
Port 514
</Output>
<Route 1>
Path eventlog => tcp
</Route>
Thanks,Steve
For the benefit of others who might find this post in the future, I addressed this by configuring nxlog to output octet-framing for syslog output, and configured my syslog-ng server to accept octet-framed IETF logs using the syslog() driver. To configure nxlog to output octet-framed logs when using unencrypted IETF syslog, you need to add OutputType Syslog_TLS
to the output stream per https://docs.nxlog.co/refman/current/xm/syslog.html. The parameter name is confusing since it references TLS, even though in this case I'm not using TLS.
My final working config looks like this:
<Input eventlog>
Module im_msvistalog
</Input>
<Output tcp>
Module om_tcp
OutputType Syslog_TLS
Host 172.16.200.1
Exec to_syslog_ietf();
Port 1514
</Output>
<Route 1>
Path eventlog => tcp
</Route>