1

I need to strip NULL's from the incoming message so I can forward it back out to another host. Syslog-ng does not forward messages properly that have any nulls in it. I've tried the following but cannot figure out how to target the NULL in the strings. With the below I still see the nulls in my local log and the remote system never see's the messages with nulls in it (not all messages have nulls and the ones that don't have nulls forward properly).

source s_ise {
  udp(port(522));
};

destination d_ise {
  file("/var/log/ise.log");
  udp("myhost.example" port(516) spoof_source(no));
};

rewrite r_ise {
  # remove nulls, or it won't forward properly
  subst("\x00", "", type("string"), value("MESSAGE"), flags(substring, global));
};

log {
  source(s_ise);
  filter(f_ise_aaa);
  rewrite(r_ise);
  destination(d_ise);
};
lifo
  • 2,791
  • 1
  • 25
  • 32

1 Answers1

2

NULLs are considered as string terminators.

Fortunately, the UDP source does not rely on line endings (newline characters or NULLs), so you can remove all unnecessary 0 bytes before parsing, for example:

source s_ise {
  udp(port(522) flags(no-parse));
};

rewrite r_remove_nulls {
  subst('\x00', '', value("MESSAGE"), type(pcre), flags(global)); # single quotes!
};

parser p_syslog {
  syslog-parser();
};

destination d_ise {
  file("/var/log/ise.log");
  udp("myhost.example" port(516) spoof_source(no));
};

log {
  source(s_ise);
  rewrite(r_remove_nulls);
  parser(p_syslog);

  filter(f_ise_aaa);
  destination(d_ise);
};

Alternatively, you can keep NULL bytes, but in that case, you should not use syslog-ng config objects that treat the message as strings (for example, parsers, string-based rewrite rules, string filters, etc).

MrAnno
  • 754
  • 5
  • 17
  • Interesting. I kept using double quotes in my rewrite because the docs said single quotes don't get parsed. I've tried what you said and I can see the nulls are stripped from my local log now! however, Its not forwarding to the remote host still... I'm debugging it now. – lifo Apr 22 '20 at 13:36
  • Yeah, when using double quotes, \ is an escape character interpreted by syslog-ng. Single quotes make sure that \ is meant for the PCRE engine, not for syslog-ng. – MrAnno Apr 22 '20 at 13:43
  • I got it to work finally. Your solution helped, but I ultimately also had to change the destination to use TCP() instead of UDP() (since i don't need to spoof this is fine). I'm not sure why, the messages are about 2k in size and our network is using jumbo frames (8192). At least it works.... – lifo Apr 22 '20 at 14:13