Hi,

RFC5424 and all transports (except obsolete non-octet-counted TCP) can handle MSG containing ANY character including newlines and carriage returns.

In violation of the above, NxLog's to_syslog_ietf() function backslash-escapes these two characters. Furthermore, the escaping scheme is broken because it doesn't also escape the escape character itself (the backslash) so there's no way to reliably un-escape the MSG on the receiving end.

The correct behaviour is to stop escaping these characters altogether. In the rare case that someone needs to send multiline messages over non-octet-counted TCP, they can escape/unescape the $Message themselves using NxLog's replace() function.

Patch below.

RFC References: https://tools.ietf.org/html/rfc5424#section-6.4 https://tools.ietf.org/html/rfc6587#section-3.4

Regards, Ron MacNeil

--- src/modules/extension/syslog/syslog.c.orig 2014-07-19 23:52:06.000000000 +1000 +++ src/modules/extension/syslog/syslog.c 2016-07-26 14:01:57.296175500 +1000 @@ -1321,16 +1321,8 @@ nx_syslog_add_structured_data(logdata);

 // Append message

• i = (int) logdata->raw_event->len; nx_string_append(logdata->raw_event, " ", 1); nx_string_append(logdata->raw_event, msg.string->buf, (int) msg.string->len);

• for ( ; i < (int) logdata->raw_event->len; i++ )

• { // replace linebreaks with space

•   if ( (logdata->raw_event->buf[i] == '\n') || (logdata->raw_event->buf[i] == '\r') )
  

•   {
  

•       logdata->raw_event->buf[i] = ' ';
  

•   }
  

• }

  if (tmpmsg != NULL) { // clean up temp copy