nxlog embedding carriage returns and newlines in IETF syslog


#1 roadgeek

Hello, I am using nxlog-ce 3.2.2329 on a Windows 10 system to forward logs to a syslog-ng server over TCP using the to_syslog_ietf() procedure. This is working well for most logs, but I am occasionally seeing logs being generated with carriage returns and newlines in the syslog structured data element. Here is an example captured from tcpdump. Note that this is just the beginning of the message, enough to show you where the cr lf's are in the PrivilegeList element:

<14>1 2023-10-18T16:23:21.669254-04:00 SteveAcer Microsoft-Windows-Security-Auditing 952 - [NXLOG@14506 Keywords="-9214364837600034816" EventType="AUDIT_SUCCESS" EventID="4672" ProviderGuid="{54849625-5478-4994-A5BA-3E3B0328C30D}" Version="0" Task="12548" OpcodeValue="0" RecordNumber="2053808" ActivityID="{FE9334EF-0152-0002-AD35-93FE5201DA01}" ThreadID="30200" Channel="Security" Category="Special Logon" Opcode="Info" SubjectUserSid="S-1-5-18" SubjectUserName="SYSTEM" SubjectDomainName="NT AUTHORITY" SubjectLogonId="0x3e7" PrivilegeList="SeAssignPrimaryTokenPrivilege
                        SeTcbPrivilege
                        SeSecurityPrivilege
                        SeTakeOwnershipPrivilege
                        SeDelegateSessionUserImpersonatePrivilege" EventReceivedTime="2023-10-18 16:23:23"

The body of the message has cr lf's converted to spaces. In the documentation, I see reference to a ReplaceLineBreaks directive that defaults to converting the cr lfs to spaces, but that doesn't appear to apply to the syslog structured data. Is there a way I can remove these cr lfs from the PrivilegeList, or any element? My nxlog.conf is below:

<Input eventlog>
    Module  im_msvistalog
</Input>

<Output tcp> Module om_tcp Host 172.16.200.1 Exec to_syslog_ietf(); Port 514 </Output>

<Route 1> Path eventlog => tcp </Route>

Thanks,Steve

 

#2 roadgeek

For the benefit of others who might find this post in the future, I addressed this by configuring nxlog to output octet-framing for syslog output, and configured my syslog-ng server to accept octet-framed IETF logs using the syslog() driver. To configure nxlog to output octet-framed logs when using unencrypted IETF syslog, you need to add OutputType Syslog_TLS to the output stream per https://docs.nxlog.co/refman/current/xm/syslog.html. The parameter name is confusing since it references TLS, even though in this case I'm not using TLS.

My final working config looks like this:

<Input eventlog>
    Module  im_msvistalog
</Input>

<Output tcp> Module om_tcp OutputType Syslog_TLS Host 172.16.200.1 Exec to_syslog_ietf(); Port 1514 </Output>

<Route 1> Path eventlog => tcp </Route>