Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Syslog reader/processor does not handle escaped brackets in structured data fields #40445

Closed
taylor-swanson opened this issue Aug 6, 2024 · 1 comment · Fixed by #40446
Closed

Syslog reader/processor does not handle escaped brackets in structured data fields #40445

taylor-swanson opened this issue Aug 6, 2024 · 1 comment · Fixed by #40446
Assignees
@taylor-swanson
Labels
bug Team:Security-Deployment and Devices Deployment and Devices Team in Security Solution

Comments

@taylor-swanson
Copy link
Contributor

The syslog reader/processor does not properly handle escaped brackets (]) in the structured data fields of an RFC 5424 message.

Example log which triggers the issue:

<165>1 2003-10-11T22:14:15.003Z mymachine.example.com evntslog - ID47 [exampleSDID@32473 iut="3" eventSource="Application" eventID="1011" somekey="[value\] more data"][examplePriority@32473 class="high"] Some message

Expected raw structured data value:

[exampleSDID@32473 iut="3" eventSource="Application" eventID="1011" somekey="[value\] more data"][examplePriority@32473 class="high"]

Actual raw structured data value:

more data"][examplePriority@32473 class="high"]

The extraction of the values into a map also has to be updated to handle escaped characters.
@taylor-swanson taylor-swanson added bug Team:Security-Deployment and Devices Deployment and Devices Team in Security Solution labels Aug 6, 2024
@elasticmachine
Copy link
Collaborator

Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices)

@taylor-swanson taylor-swanson self-assigned this Aug 6, 2024
@taylor-swanson taylor-swanson mentioned this issue Aug 6, 2024
Merged
3 tasks
This was referenced Aug 8, 2024
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@taylor-swanson taylor-swanson

Labels
bug Team:Security-Deployment and Devices Deployment and Devices Team in Security Solution
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[syslog] Fix handling of escaped characters in structured data taylor-swanson/beats
2 participants
@elasticmachine @taylor-swanson