Mailing List Archive: escaping windows events messages

escaping windows events messages

Mar 6, 2023, 3:35 AM

Post #1 of 3 (186 views)

Hi

Receiving the following log:

2023-03-06T12:30:19+00:00 mycomputer windows/windows: {
"event_id":"7036","event_number":"23135", "eventlog":"System",
"source":"Service Control Manager", "source_message":"Windows module
instaler entered in state "*stopped*".","category_id":"0","category":"",
"computer":"mycomputer", "computer_ip":"192.168.0.2", "user":"" }

json parsing fails as it contains unescaped " (enclosing stopped)
Same happens when message contains unescaped \, like in domain\account

hoy could I escape the colons or backslashes ?
So far I have tried:
set $!msg=replace($!msg,"\"","\\\"");
set $!source_message=replace($!source_message,"\"","\\\"");
set $!msg=replace($!msg!source_message,"\"","\\\"");
without any success.

Thanks
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Re: escaping windows events messages [ In reply to ]

rsyslog at lists

Mar 6, 2023, 5:43 AM

Post #2 of 3 (186 views)

Permalink

IMHO this is a JSON question, not rsyslog. But iirc it is \"

Rainer

Sent from phone, thus brief.

Tan Mientras via rsyslog <rsyslog@lists.adiscon.com> schrieb am Mo., 6.
März 2023, 12:36:

> Hi
>
> Receiving the following log:
>
> 2023-03-06T12:30:19+00:00 mycomputer windows/windows: {
> "event_id":"7036","event_number":"23135", "eventlog":"System",
> "source":"Service Control Manager", "source_message":"Windows module
> instaler entered in state "*stopped*".","category_id":"0","category":"",
> "computer":"mycomputer", "computer_ip":"192.168.0.2", "user":"" }
>
> json parsing fails as it contains unescaped " (enclosing stopped)
> Same happens when message contains unescaped \, like in domain\account
>
> hoy could I escape the colons or backslashes ?
> So far I have tried:
> set $!msg=replace($!msg,"\"","\\\"");
> set $!source_message=replace($!source_message,"\"","\\\"");
> set $!msg=replace($!msg!source_message,"\"","\\\"");
> without any success.
>
> Thanks
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Re: escaping windows events messages [ In reply to ]

rsyslog at lists

Mar 6, 2023, 11:23 PM

Post #3 of 3 (184 views)

Permalink

Sadly, this is not working...
set $!msg=replace($!msg,"\"","\\\"");

What would be the variable/property to replace source_message within the
following line?
> 2023-03-06T12:30:19+00:00 mycomputer windows/windows: {
> "event_id":"7036","event_number":"23135", "eventlog":"System",
> "source":"Service Control Manager", "source_message":"Windows module
> instaler entered in state "*stopped*".","category_id":"0","category":"",
> "computer":"mycomputer", "computer_ip":"192.168.0.2", "user":"" }

On Mon, Mar 6, 2023 at 2:44 PM Rainer Gerhards via rsyslog <
rsyslog@lists.adiscon.com> wrote:

> IMHO this is a JSON question, not rsyslog. But iirc it is \"
>
> Rainer
>
> Sent from phone, thus brief.
>
> Tan Mientras via rsyslog <rsyslog@lists.adiscon.com> schrieb am Mo., 6.
> März 2023, 12:36:
>
> > Hi
> >
> > Receiving the following log:
> >
> > 2023-03-06T12:30:19+00:00 mycomputer windows/windows: {
> > "event_id":"7036","event_number":"23135", "eventlog":"System",
> > "source":"Service Control Manager", "source_message":"Windows module
> > instaler entered in state "*stopped*".","category_id":"0","category":"",
> > "computer":"mycomputer", "computer_ip":"192.168.0.2", "user":"" }
> >
> > json parsing fails as it contains unescaped " (enclosing stopped)
> > Same happens when message contains unescaped \, like in domain\account
> >
> > hoy could I escape the colons or backslashes ?
> > So far I have tried:
> > set $!msg=replace($!msg,"\"","\\\"");
> > set $!source_message=replace($!source_message,"\"","\\\"");
> > set $!msg=replace($!msg!source_message,"\"","\\\"");
> > without any success.
> >
> > Thanks
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> > DON'T LIKE THAT.
> >
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.