I need to strip NULL's from the incoming message so I can forward it back out to another host. Syslog-ng does not forward messages properly that have any nulls in it. I've tried the following but cannot figure out how to target the NULL in the strings. With the below I still see the nulls in my local log and the remote system never see's the messages with nulls in it (not all messages have nulls and the ones that don't have nulls forward properly).
source s_ise {
udp(port(522));
};
destination d_ise {
file("/var/log/ise.log");
udp("myhost.example" port(516) spoof_source(no));
};
rewrite r_ise {
# remove nulls, or it won't forward properly
subst("\x00", "", type("string"), value("MESSAGE"), flags(substring, global));
};
log {
source(s_ise);
filter(f_ise_aaa);
rewrite(r_ise);
destination(d_ise);
};
NULLs are considered as string terminators.
Fortunately, the UDP source does not rely on line endings (newline characters or NULLs), so you can remove all unnecessary 0 bytes before parsing, for example:
source s_ise {
udp(port(522) flags(no-parse));
};
rewrite r_remove_nulls {
subst('\x00', '', value("MESSAGE"), type(pcre), flags(global)); # single quotes!
};
parser p_syslog {
syslog-parser();
};
destination d_ise {
file("/var/log/ise.log");
udp("myhost.example" port(516) spoof_source(no));
};
log {
source(s_ise);
rewrite(r_remove_nulls);
parser(p_syslog);
filter(f_ise_aaa);
destination(d_ise);
};
Alternatively, you can keep NULL bytes, but in that case, you should not use syslog-ng config objects that treat the message as strings (for example, parsers, string-based rewrite rules, string filters, etc).