Hi,
We're sending log data in JSON format to a SIEM system and noticed a special
behaviour of
OpenBSD's syslogd concerning strings with backslashes that is unique to OpenBSD:
echo '{"msg": \"This is "a test\""}' | logger
results in the following string logged:
{"msg": "This is \\"a test\\""}
As no other syslog daemon I tried (Linx and FreeBSD) behaves like this, the SIEM
system does not use something like unvis() to correctly remove the escaping.
This leads to a wrong text in the SIEM system after parsing the JSON string:
This is \"a test\"
This has been introduced about 21 years ago when vis(3) was added to syslogd.
The following diff changes the behaviour of syslogd so that it no longer escapes
backslashes and thus is more consistent with other syslog implementations.
Greetings,
Matthias
diff --git a/usr.sbin/syslogd/syslogd.c b/usr.sbin/syslogd/syslogd.c
index d44b311ae1..184e0d6089 100644
--- a/usr.sbin/syslogd/syslogd.c
+++ b/usr.sbin/syslogd/syslogd.c
@@ -1571,7 +1571,7 @@ printline(char *hname, char *msgstr)
if (*p == '\n')
*q++ = ' ';
else
- q = vis(q, *p, 0, 0);
+ q = vis(q, *p, VIS_NOSLASH, 0);
}
line[LOG_MAXLINE] = *q = '\0';
@@ -1627,7 +1627,7 @@ printsys(char *msgstr)
q = lp;
while (*p && (c = *p++) != '\n' &&
q < &msg.m_msg[sizeof(msg.m_msg) - 4])
- q = vis(q, c, 0, 0);
+ q = vis(q, c, VIS_NOSLASH, 0);
logmsg(&msg, flags, LocalHostName);
}
smime.p7s
Description: S/MIME cryptographic signature
