[rsyslog-notify] Forum Thread: How to remove or escape backslash in CEF fields ? - (Mode 'post')

noreply at adiscon.com noreply at adiscon.com
Tue May 19 10:08:39 CEST 2015 

User: vdesabou 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=25626#p25626

Message: 
----------
Hello,

I'm using the configuration described in <!-- l --><a
class="postlink-local"
href="http://kb.monitorware.com/how-convert-from-cef-csv-and-forward-message-t12589.html">how-convert-from-cef-csv-and-forward-message-t12589.html</a><!--
l --> :-

[code:11fhc9tg]
module(load="mmnormalize")
template(name="csv" type="list") {
        # CSV
        constant(value="0")
        constant(value=",")
        property(name="$!cef!DeviceVendor" format="csv"
controlcharacters="drop")
        constant(value=",")
        property(name="$!cef!DeviceProduct" format="csv"
controlcharacters="drop")
        constant(value=",")
        property(name="$!cef!DeviceVersion" format="csv"
controlcharacters="drop")
        constant(value=",")
        property(name="$!cef!SignatureID" format="csv"
controlcharacters="drop")
        constant(value=",")
        property(name="$!cef!Name" format="csv" controlcharacters="drop")
        constant(value=",")
        property(name="$!cef!Severity" format="csv"
controlcharacters="drop")
        constant(value=",")
        property(name="$!cef!Extensions!act" format="csv")
        constant(value="\n")
...
}

ruleset(name="cef_ruleset") {
     # CEF message
    if $msg startswith ' CEF:0' then {
        action(type="mmnormalize"
            ruleBase="/etc/rsyslog.d/cef.rb"
            useRawMsg="off"
        )
        action(type="omfwd" Target="localhost" Port="514" Protocol="tcp"
template="csv")
    } else {
        action(type="omfwd" Target="localhost" Port="514" Protocol="tcp")
    }
}
input(type="imtcp" port="514" ruleset="cef_ruleset")
input(type="imudp" port="514" ruleset="cef_ruleset")
[/code:11fhc9tg]

[code:11fhc9tg]
cat /etc/rsyslog.d/cef.rb
rule=: %cef:cef%
[/code:11fhc9tg]

My problem is when a message contains field with "\\" in it:

example: act=\\EN6.SSH03 as below:

[code:11fhc9tg]
syslog -s -r centos -l 4
"CEF:0|Foo|Netcool|10.0.0.15.0|rule:101|FOO|High|
eventId=24934219569 act=\\EN6.SSH03"
[/code:11fhc9tg]

In this case the mmnormalize is not working:

[code:11fhc9tg]
{ "originalmsg": "
CEF:0|Foo|Netcool|10.0.0.15.0|rule:101|FOO|High|
eventId=24934219569 act=\\EN6.SSH03", "unparsed-data":
"CEF:0|Foo|Netcool|10.0.0.15.0|rule:101|FOO|High|
eventId=24934219569 act=\\EN6.SSH03" }


0,"","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","",""
[/code:11fhc9tg]

Is there a way to prevent this ?

More information about the rsyslog-notify mailing list