Hello, am trying to integrate Fluentd (td-agent) with OSSECs JSON syslog output but having issues with how the message is emitted. When it arrives in td-agent it looks like:
20140513T011505+0100 ips.ossec.reformed {"host":"tstsrv1", ident":"ossec","message":"{ \"crit\": 7, \"id\": 510, \"description\": \"Host-based anomaly detection event (rootcheck).\", \"component\": \"(vsp1.testdomain1.local) 192.168.8.3->rootcheck\", \"classification\": \" ossec,rootcheck,\", \"message\": \"Process '748' hidden from kill (0) or getsid (1). Possible kernel-level rootkit.\" }"} and the problem comes when trying to use the parser plugin to do something like: ossec_id ${id} as what ends up in ${ossec_id} is ":", so the "\" is being included as a JSON field. I have looked at the os_csyslogd.c code and this is part of the block causing the issue: snprintf(syslog_msg, OS_SIZE_2048 - padding, "<%d>%s %s ossec: { \"crit\": %d, \"id\": %d, \"description\": \"%s\", \"component\": \"%s\",", /* syslog header */ syslog_config->priority, tstamp, __shost, /* OSSEC metadata */ al_data->level, al_data->rule, json_safe_comment, al_data->location ); how can the code be change so that it does not emit the 'escaping' characters ? Thanks, Phil -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.