Jump to content

Recommended Posts

Posted

Hi,

I've enabled syslog in ESET SMC (v7.1) and I'm able to see logs generated in syslog daemon. The configuration is the following:

image.png.cf1d086919adb5de1b7b6cf654f288fa.png

image.png.9c700754ef37decde8bc1981f9875d63.png

However, the message of syslog contains non-printable characters at beginning and end:

# xxd /var/log/eset/RemoteAdministrator/Server/ERAServer.log
00000000: efbb bf7b 2265 7665 6e74 5f74 7970 6522  ...{"event_type"
00000010: 3a22 4175 6469 745f 4576 656e 7422 2c22  :"Audit_Event","
00000020: 6970 7634 223a 2231 302e 3235 302e 312e  ipv4":"10.100.0.
...
00000160: 7222 3a22 222c 2272 6573 756c 7422 3a22  r":"","result":"
00000170: 5375 6363 6573 7322 7d23 3031 3523 3031  Success"}#015#01
00000180: 320a                                     2.

I know that the last two were escaped to #015 and #012 by the syslog daemon (rsylogd) automatically.

Does anyone know if this is expected? I tried both formats BSD and Syslog and they seem to give the same result.

Thanks!

  • ESET Staff
Posted

My best guess that is it message delimiter, i.e. it is "\r\n" tuple (new line in MS Windows format) appended after each message so that receiving daemon can actually detect end of message in case there are multiple of them sent in stream. This should be standard behavior in case "Octet-counted framing" is not enabled. If frame counting is enabled, each message will contains also it's length and this should be enough to detect end of message and start of another one ...

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...