Wrong syslog_full output.

[dzruyk]

Hello.
I encountered that base64_STATIC() (and also base64()) functions not correctly creating BASE64 digest.

When string is long additional '\n' inserted into output by:

if(cols == 72)
{
    *output = '\n'; output++;
    cols = 0;
}

condition.

For example when I use syslog_full output plugin at my /var/messages I see:

Jun 21 14:39:06 localhost | [SNORTIDS[LOG]: [test-sn01] ] || 2013-06-21 14:38:59.792+004 0 [1:1999999999:1] Snort Alert [1:1999999999:1] || [Unknown Classification] || 6 192.168.155.99 192.168.155.72 4 20 16 61 46288 2 0 52701 0 || 57929 22 3382172796 3250754374 8 0 24 365 5378 0 || 75 CAAnr4YhCAAnnKmBCABFEAA9tNBAAEAGzd3AqJtjwKibSOJJABbJl9x8wcKTRoAYAW0VAgAA#012AQEICgAeauAANwl0dGVzdDEyMw0K || #012 |

that I can't parse correctly because substring

'#012'

presented in the middle of base64 string.

This is code mistake or Im something misunderstand?

PS: Thx for answers and sorry for my English(.

[binf]

On Fri, Jun 21, 2013 at 8:44 AM, Boris notifications@github.com wrote:

Hello.
I encountered that base64_STATIC() (and also base64()) functions not correctly creating BASE64 digest.

When string is long additional '\n' inserted into output by:

if(cols == 72)
{
*output = '\n'; output++;
cols = 0;
}

condition.

For example when I use syslog_full output plugin at my /var/messages I see:

Jun 21 14:39:06 localhost | [SNORTIDS[LOG]: [test-sn01] ] || 2013-06-21 14:38:59.792+004 0 [1:1999999999:1] Snort Alert [1:1999999999:1] || [Unknown Classification] || 6 192.168.155.99 192.168.155.72 4 20 16 61 46288 2 0 52701 0 || 57929 22 3382172796 3250754374 8 0 24 365 5378 0 || 75 CAAnr4YhCAAnnKmBCABFEAA9tNBAAEAGzd3AqJtjwKibSOJJABbJl9x8wcKTRoAYAW0VAgAA#012AQEICgAeauAANwl0dGVzdDEyMw0K || #12 |

Under which OS do you log locally to syslog?

Seem's like your syslog server would be doing that.

Do you use rsyslog?

if you you might want to look into this:
http://www.rsyslog.com/doc/rsconf1_escapecontrolcharactersonreceive.html

-elz

[dzruyk]

Thx a lot for reply. EscapeControlCharactersOnReceive works perfect.

Additional question about syslog_full format.

I use output log_syslog_full with operation_mode complete directive
And at end of every alert (after encoded payload) I see something like this ( I use default delimiters and separators):

PAYLOAD || \n | \0

where \n - newline symbol
and \0 end of string symbol.

This is format mistake?

If yes I assume that its because inside OpSyslog_Log we use OpSyslog_Concat(syslogContext) to append last newline character and when operation mode is "complete" it will be wrapped around
syslogContext->delim.

[binf]

On Fri, Jul 5, 2013 at 6:21 AM, Boris notifications@github.com wrote:

Thx a lot for reply. EscapeControlCharactersOnReceive works perfect.

Additional question about syslog_full format.

I use output log_syslog_full with operation_mode complete directive
And at end of every alert (after encoded payload) I see something like this ( I use default delimiters and separators):

PAYLOAD || \n | \0

where \n - newline symbol
and \0 end of string symbol.

This is format mistake?

If yes I assume that its because inside OpSyslog_Log we use OpSyslog_Concat(syslogContext) to append last newline character and when operation mode is "complete" it will be wrapped around
syslogContext->delim.

Yes the delimiter is appended by OpSyslog_Concat.
but you could allways ignore it in a regex by using something like ||
($1) || \n |

Where $1 would be your actual syslog pattern message for complete mode.

-elz