Idea ID: 2805934

SmartConnector syslog-ng RFC5424 extension can't interpret escape characters

Status : Waiting for Votes
11 months ago

Hi,

we still encounter problems with RFC5424 logs which include comments inside a structured data field. Those comments are encapsuled with quotes and therefore these quotes get escaped.

e.g
eventType="PAM:session_closed for acct=\"root\""

It may also be an issue that a second equal (=) sign appear, but I can't tell. This leads to the problem, that the whole structured data gets skipped and just unstructured data is parsed. I would assume that it produce an empty field, but it is not the case so there might be more incorrect interpretations.

Due to GDPR I can't attach the original logs, but escaping characters is a valid RFC5424 procedure which should be fixed in general.