Wrong syslog_full output. about barnyard2 HOT 3 CLOSED

On Fri, Jun 21, 2013 at 8:44 AM, Boris [email protected] wrote:

Hello.
I encountered that base64_STATIC() (and also base64()) functions not correctly creating BASE64 digest.

When string is long additional '\n' inserted into output by:

if(cols == 72)
{
*output = '\n'; output++;
cols = 0;
}

condition.

For example when I use syslog_full output plugin at my /var/messages I see:

Jun 21 14:39:06 localhost | [SNORTIDS[LOG]: [test-sn01] ] || 2013-06-21 14:38:59.792+004 0 [1:1999999999:1] Snort Alert [1:1999999999:1] || [Unknown Classification] || 6 192.168.155.99 192.168.155.72 4 20 16 61 46288 2 0 52701 0 || 57929 22 3382172796 3250754374 8 0 24 365 5378 0 || 75 CAAnr4YhCAAnnKmBCABFEAA9tNBAAEAGzd3AqJtjwKibSOJJABbJl9x8wcKTRoAYAW0VAgAA#012AQEICgAeauAANwl0dGVzdDEyMw0K || #12 |

Under which OS do you log locally to syslog?

Seem's like your syslog server would be doing that.

Do you use rsyslog?

if you you might want to look into this:
http://www.rsyslog.com/doc/rsconf1_escapecontrolcharactersonreceive.html

-elz

from barnyard2.

Thx a lot for reply. EscapeControlCharactersOnReceive works perfect.

Additional question about syslog_full format.

I use output log_syslog_full with operation_mode complete directive
And at end of every alert (after encoded payload) I see something like this ( I use default delimiters and separators):

PAYLOAD || \n | \0

where \n - newline symbol
and \0 end of string symbol.

This is format mistake?

If yes I assume that its because inside OpSyslog_Log we use OpSyslog_Concat(syslogContext) to append last newline character and when operation mode is "complete" it will be wrapped around
syslogContext->delim.

from barnyard2.

On Fri, Jul 5, 2013 at 6:21 AM, Boris [email protected] wrote:

Thx a lot for reply. EscapeControlCharactersOnReceive works perfect.

Additional question about syslog_full format.

I use output log_syslog_full with operation_mode complete directive
And at end of every alert (after encoded payload) I see something like this ( I use default delimiters and separators):

PAYLOAD || \n | \0

where \n - newline symbol
and \0 end of string symbol.

This is format mistake?

If yes I assume that its because inside OpSyslog_Log we use OpSyslog_Concat(syslogContext) to append last newline character and when operation mode is "complete" it will be wrapped around
syslogContext->delim.

Yes the delimiter is appended by OpSyslog_Concat.
but you could allways ignore it in a regex by using something like ||
($1) || \n |

Where $1 would be your actual syslog pattern message for complete mode.

-elz

from barnyard2.