You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is the issue related to the environment of the customer or Software related issue?
it's related to syslog-ng/sc4s configuration
Describe the bug
When I am sending a specific message to sc4s I get sort of an "error" more of an informational message logged from sc4s that
- - syslog-ng 158 - [meta sequenceId="43428"]Value names cannot be longer than 255 characters, this value will always expand to the empty string; value='.values.XXXXXXXXXXXXX'
the content that was replaced with XXXXXXXX is base64 encoded and ends with a = character in the original message.
how can i get rid of these error messages?
I am sure that some parser is used on this message and due to the value ending with a = sc4s is trying to use everything before it as a key and everything after as value.
I assume I simply need to add an app parser to stop this behaviour.
Belows message is just an example, so this is a general question and independent of sourcetype/vendor_product.
Splunk Support told me to open an issue here.
Sorry for delay! This error Value names cannot be longer than 255 characters, this value will always expand to the empty string; related with https://github.com/syslog-ng/syslog-ng . I already had direct conversation with syslog-ng author. I not sure that we can fix it very fast.
But I will think probably we can make workaround for this case
Was the issue replicated by support?
yes.
What is the sc4s version ?
2.48
Is there a pcap available?
yes.
Is the issue related to the environment of the customer or Software related issue?
it's related to syslog-ng/sc4s configuration
Describe the bug
When I am sending a specific message to sc4s I get sort of an "error" more of an informational message logged from sc4s that
the content that was replaced with XXXXXXXX is base64 encoded and ends with a = character in the original message.
how can i get rid of these error messages?
I am sure that some parser is used on this message and due to the value ending with a
=
sc4s is trying to use everything before it as a key and everything after as value.I assume I simply need to add an app parser to stop this behaviour.
Belows message is just an example, so this is a general question and independent of sourcetype/vendor_product.
Splunk Support told me to open an issue here.
To Reproduce
Steps to reproduce the behavior:
echo "<13>Nov 08 12:59:54 1.1.1.1 f5req_forward_clone[-]: F5-REQ-VERSION:v1:date_time='2023-11-08 13:59:54',clientip='1.2.2.2',host='[host.example.com](https://host.example.com/)' ,http_host='[host.example.com](https://host.example.com/)',http_responsecode='200',http_username='makemelongenoughtotriggerAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABASE64CONTENTendingwitha=',http_user-agent='PHP-SOAP-CURL',http_referer='',http_xff='3.3.3.3',http_request_id='',cached='false',virtualname='something',virtualip='4.4.4.4',virtualport='443',http_method='POST',http_path='/bla/blub.asmx',http_query='',http_version='HTTP/1.1',http_response_size='10092',http_response_time='32',nodeip='4.4.4.4',nodeport='443',snatpool='/Common/SNAT_Something_Pool',snatip='6.6.6.6',snatport='34470',pool='/Common/blub.app/blapool8',req_type='response'" | nc -u -w 0 {SC4S_IP} 514
The text was updated successfully, but these errors were encountered: