Replacing \\ in messages

One type of syslog I ingest already has added a second \ to existing \ in the message.

For example:

Raw Log = user\\computer
Graylog Result = usercomputer

Whereas I want to see: user\computer

I’ve tried this rule but Graylog doesn’t seem to like dealing with \'s, I’ve tried escaping with a / (so replace(to_string($message.full_message), “\”, “/”); and that doesn’t work either.

Any ideas?

rule "Slash Replace"

when

    has_field("message")

then

    let message = replace(to_string($message.full_message), "\\", "\");
    let message = replace(to_string($message.full_message), "\\", "\");

end

he @nick

do you mind making a step back - as you say the original log has a double \ at some point and Graylog does not save that correctly.

How did you ingest the messages from where with what collector over what input to Graylog?

This is ingesting messages from a Windows application using syslog into a syslog UDP input.

I think the application is escaping a \ with another \ so resulting in \\ being sent to Graylog

Hi @jan here are the messages including original:

Edit: ok so the forum software is also escaping slashes (hence all the edits)!

Original Message:
{EventLog}{ServerLog}{SysLog}2020-07-27 16:34:33.7340000 +0100|DEVICE-ATTACHED||S-1-5-21-4181815807-852687120-3572905764-2112|Keyboards/Mice|Remote Desktop Mouse Device, Remote Desktop Mouse Device, (Standard system devices)|||||TS_INPT\TS_MOU||0000000000000000000000000000000000000000|dd02e61dd196c84b612b94ced3ba237724f4a78b|||00000000000000000000000000000000|

full_message in Graylog
<110>1 2020-07-27T15:34:33Z TESTCOMPUTER.local DEVICE-ATTACHED [EventLog@22752 User=“S-1-5-21-4181815807-852687120-3572905764-2112” UserName=“DOMAIN\\test” DeviceType=“Keyboards/Mice” DeviceName=“Remote Desktop Mouse Device, Remote Desktop Mouse Device, (Standard system devices)” Other=“TS_INPT\\TS_MOU” UniqueID=“0000000000000000000000000000000000000000” ModelID=“dd02e61dd196c84b612b94ced3ba237724f4a78b”]

message in Graylog
DEVICE-ATTACHED [EventLog@22752 User=“S-1-5-21-4181815807-852687120-3572905764-2112” UserName=“DOMAIN\\test” DeviceType=“Keyboards/Mice” DeviceName=“Remote Desktop Mouse Device, Remote Desktop Mouse Device, (Standard system devices)” Other=“TS_INPT\\TS_MOU” UniqueID=“0000000000000000000000000000000000000000” ModelID=“dd02e61dd196c84b612b94ced3ba237724f4a78b”]

just for clarification, if you use the options available in the editor, you have the ability to choose “code” what can be done by selecting the icon at the top of the editor window:

image

It is the one with </> that allows you to have a code window where nothing is mangled or changed.

Surrounding code with three backticks ``` will allow for code to span multiple lines
Typing:

```
function foo(bar){
     return bar+1;
}
```

results in

function foo(bar){
     return bar+1;
}

Any idea on what I can do about the slashes? My code seems correct but still doesn’t work.

Your first post with pipeline rule is not correct, because you use bad backslash escape and don’t rewrite field message at all. So try to use this:

rule "fix double backslash"
when
  has_field("message")
then
    let fix_message = replace(to_string($message.message), "\\\\", "\\");
    set_field("message", fix_message);
end

Four basckslashes is neccesary, because you need to escape with backslash all backslashes, so in this case there are 2 backslashes, so you need to escape each one with one backslash, so result is 4.

2 Likes

Thanks, typoed the second let, should have been set but the four slashes fixes the issue