[Intelmq-dev] Output format to syslog/splunk (PR#503)

[Sebastian Wagner]

Dear developers, contributors, users, etc.

Pedro Reis (@pedromreis) opened a pull request for an UDP output bot,
which can be used to send events to a syslog daemon (and then picked up
by further processing software).
The implementation has the following features:

  * Output formats are JSON or delimited by a configurable character
  * a optional header (at beginning of the line) can be set
  * `raw` field can be dropped

I can see some potential problems with the 'delimited'-method here:

  * Strings can contain the delimiter itself, which breaks parsing.
  * Strings can contain arbitrary characters like \0 or \n which breaks
    everything

Possible solutions could be:

  * ignore the problem as it's maybe not relevant
  * escape all problematic characters (solves problem with \n)
  * quote strings (solves problem with delimiters in strings)
  * strip non-printable characters
  * drop fields with non-printable characters
  * encode strings in base64


As you may have possible applications for this bot or you have
experience with events in syslog, I would appreciate some feedback from you.

Sebastian

-- 
// Sebastian Wagner <wagner at cert.at> - T: +43 1 50564167201 
// CERT Austria - http://www.cert.at/
// Eine Initiative der nic.at GmbH - http://www.nic.at/
// Firmenbuchnummer 172568b, LG Salzburg

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cert.at/pipermail/intelmq-dev/attachments/20160510/3b734e78/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/intelmq-dev/attachments/20160510/3b734e78/attachment.sig>