If there is a way to disable that behavior I have not been able to find it, and frankly, due to the mandate to “not break what has come before”, I would be surprised if the behavior is changed. The maintainers will know for sure. We get around it by replacing \\/ with / during SIEM searches.
Regards, > On Nov 18, 2021, at 05:13, nope via rsyslog <[email protected]> wrote: > > Hi, > > I've noticed something bothering when using templates to create a json : > rsyslog keeps escaping forward slashes. > Eg.: > {"attr": "/value/with/forward/slash"} > becomes > {"attr": "\/value\/with\/forward\/slash"} > > Witnessed on Debian, with RSyslog version 8.1901.0 and 8.2110.0. I guess it's > always been like this. > > Is it possible to prevent this behavior ? Perhaps some hidden option that's > not documented ? > > Simple repro : > #### Rsyslog config: > template(name="test-json" type="list") { > constant(value="{") > property(outname="host" name="hostname" format="jsonf") > constant(value=",") > property(name="$!all-json" position.from="2") > } > > module(load="mmjsonparse") > ruleset(name="test_template") { > action(type="mmjsonparse" cookie="") > if $parsesuccess == "OK" then { > action(type="omfile" file="/var/log/rsyslog/test_parsed.log") > action(type="omfile" file="/var/log/rsyslog/test_template.log" > template="test-json") > } > else { > action(type="omfile" file="/var/log/rsyslog/test_error.log") > } > stop > } > > module(load="imfile") > input(type="imfile" > File="/var/log/rsyslog/test.log" > Tag="ignore" > Ruleset="test_template" > ) > > #### And then: > $ echo '{"attr": "/value/with/forward/slash"}' > /var/log/rsyslog/test.log > > $ cat /var/log/rsyslog/test_parsed.log > 2021-11-18T11:45:00.415066+01:00 host123 ignore {"attr": > "/value/with/forward/slash"} > > $ cat /var/log/rsyslog/test_template.log > {"host":"host123", "metadata": { "filename": "\/var\/log\/rsyslog\/test.log", > "fileoffset": "0" }, "attr": "\/value\/with\/forward\/slash" } > _______________________________________________ > rsyslog mailing list > https://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
