airpwn / enterprise-log-search-and-archive

Automatically exported from code.google.com/p/enterprise-log-search-and-archive
0 stars 0 forks source link

update rewrite r_from_pipes in syslog-ng.conf #205

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
Please provide any additional information below.
The current definition of "rewrite r_from_pipes" on line 52 of syslog-ng.conf 
is causing problems for logs that arrive pipe '|' delimited:
rewrite r_from_pipes { subst('\|', "%7C", value("MESSAGE") flags(global)); };

See Reference:
https://groups.google.com/d/topic/enterprise-log-search-and-archive/X6vExLLCT3g/
discussion
https://groups.google.com/d/topic/enterprise-log-search-and-archive/aSjnKuviZaQ/
discussion

I believe replacing that definition with this one should fix the issue.  I can 
confirm it works with bro logs containing pipe chars, just waiting to hear from 
Michael (first discussion above) whether it works for him:
rewrite r_from_pipes { subst('\|', "%7C", value("MESSAGE") flags(global) 
condition(program("bro_*" type(glob)))); };

Original issue reported on code.google.com by kebut...@gmail.com on 12 Mar 2014 at 2:09

GoogleCodeExporter commented 9 years ago
It appears this is working, for at least two of us.  One of us trying to 
exclude pipes in logs, and the other trying to accept pipe delimited logs.

Original comment by kebut...@gmail.com on 13 Mar 2014 at 12:55