3
responses

I have to retain the new lines in a syslog.  I'm using NXLog to send logs from my laptop to a test syslog server.  I'm currently using the following:

<Extension _syslog>

    Module      xm_syslog

</Extension>


<Input in>

    Module      im_msvistalog

Exec to_syslog_ietf();

</Input>


<Processor rewrite>

    Module      pm_null

Exec        $Message = $EventID + "|" + $EventType + "|" + $Hostname + "|" + $SourceName + "|" + $AccountName + "|" + $AccountType + "|" + $Domain + "|" + $UserID + "|" + $raw_event;

</Processor>


<Output out>

    Module      om_udp

    Host        192.168.100.33

    Port        514

    #Exec        to_syslog_bsd();

</Output>


<Route 1>

    Path        in => rewrite => out

</Route>

I can get the logs to send with the \r\n intact is to remove the Exec to_syslog_snare(), then I loose all the other details about the log such as event id etc.  So I thought ok I'll construct my own by using Exec $Message = all the data fields I want....this doesn't work...so then I started playing with to_syslog_ieft and to_syslog_bsd() and they both strip out new lines.

What am I doing wrong?

AskedJune 29, 2017 - 11:24pm

Answer (1)

Linebreaks in syslog cause problems with TCP transport and are removed. We are planning to make this configurable.

Comments (2)

  • tdavis's picture

    Ok, so that explains it... ;)  Is there anyway I could process replace the newlines with another delimeter of my choosing before it gets processed to to_syslog_snare() or equivelent?

  • b0ti's picture
    (NXLog)

    You could try the following workaround:

    Exec $Message = replace($Message, "\r\n", '\r\n');  $raw_event = replace(to_syslog_snare(), '\r\n', "\r\n");