# What is happening:
I'm sending Sophos logs to Graylog via syslog and I noticed on my Graylog server that a few logs from the Sophos UTM confd log had an additional log line appended to the end. I cross-referenced with the actual confd.log file on Sophos and it shows the same thing- there must be a missing newline ("\n") character at the end of some of the logs but not all of them.
Samples from Graylog and the confd.log are pasted below, and these are the only ones in which I noticed this behavior. The only commonality I can see is they both (and only these) include the "sys:AUTOLOAD:307()" function/method call in the log. No other logs in my confd.log include the "AUTOLOAD" string, and no other logs have this EOL issue.
It's also weird that the appended logs' timestamps are in a completely different format than all the other logs.
# Supporting evidence:
From my Graylog server:
<30>2023:04:03-18:48:52 sophos01 confd[21270]: I Role::authenticate:185() => id="3106" severity="info" sys="System" sub="confd" name="authentication successful" user="admin" srcip="10.0.1.15" sid="8f5ed9b2ee3970e638930e98a50042fbbb78bda8e3d8c96e06b12041a8fc48e9" facility="webadmin" client="webadmin.plx" call="new"<31>Apr 3 18:48:52 confd[21270]: D sys::AUTOLOAD:307() => id="3100" severity="debug" sys="System" sub="confd" name="external call" user="admin" srcip="10.0.1.15" facility="webadmin" client="webadmin.plx" lock="none" method="get_SID"
<28>2023:04:03-19:06:48 sophos01 confd[23196]: W Message::err_set:1107() => id="3100" severity="warn" sys="System" sub="confd" name="ROLE_ACCESS_BLOCKED_TEMPORARILY (Too many wrong authentication requests, user admin is blocked for 34 seconds.)" user="anonymous" srcip="10.0.1.15" facility="webadmin" client="webadmin.plx" call="new" user_name="admin" seconds="34"<31>Apr 3 19:06:48 confd[23196]: D sys::AUTOLOAD:307() => id="3100" severity="debug" sys="System" sub="confd" name="external call" user="anonymous" srcip="10.0.1.15" facility="webadmin" client="webadmin.plx" lock="none" method="get_SID"
<28>2023:04:03-19:21:35 sophos01 confd[24434]: W Message::err_set:1107() => id="3100" severity="warn" sys="System" sub="confd" name="ROLE_AUTHENTICATION_FAILED (Cannot authenticate user admin, authentication failed.)" user="anonymous" srcip="10.0.1.15" facility="webadmin" client="webadmin.plx" call="new" user_name="admin"<31>Apr 3 19:21:35 confd[24434]: D sys::AUTOLOAD:307() => id="3100" severity="debug" sys="System" sub="confd" name="external call" user="anonymous" srcip="10.0.1.15" facility="webadmin" client="webadmin.plx" lock="none" method="get_SID"
Respective Sophos confd.log lines:
2023:04:03-18:48:52 sophos01 confd[21270]: I Role::authenticate:185() => id="3106" severity="info" sys="System" sub="confd" name="authentication successful" user="admin" srcip="10.0.1.15" sid="8f5ed9b2ee3970e638930e98a50042fbbb78bda8e3d8c96e06b12041a8fc48e9" facility="webadmin" client="webadmin.plx" call="new"<31>Apr 3 18:48:52 confd[21270]: D sys::AUTOLOAD:307() => id="3100" severity="debug" sys="System" sub="confd" name="external call" user="admin" srcip="10.0.1.15" facility="webadmin" client="webadmin.plx" lock="none" method="get_SID"
2023:04:03-19:06:48 sophos01 confd[23196]: W Message::err_set:1107() => id="3100" severity="warn" sys="System" sub="confd" name="ROLE_ACCESS_BLOCKED_TEMPORARILY (Too many wrong authentication requests, user admin is blocked for 34 seconds.)" user="anonymous" srcip="10.0.1.15" facility="webadmin" client="webadmin.plx" call="new" user_name="admin" seconds="34"<31>Apr 3 19:06:48 confd[23196]: D sys::AUTOLOAD:307() => id="3100" severity="debug" sys="System" sub="confd" name="external call" user="anonymous" srcip="10.0.1.15" facility="webadmin" client="webadmin.plx" lock="none" method="get_SID"
2023:04:03-19:21:35 sophos01 confd[24434]: W Message::err_set:1107() => id="3100" severity="warn" sys="System" sub="confd" name="ROLE_AUTHENTICATION_FAILED (Cannot authenticate user admin, authentication failed.)" user="anonymous" srcip="10.0.1.15" facility="webadmin" client="webadmin.plx" call="new" user_name="admin"<31>Apr 3 19:21:35 confd[24434]: D sys::AUTOLOAD:307() => id="3100" severity="debug" sys="System" sub="confd" name="external call" user="anonymous" srcip="10.0.1.15" facility="webadmin" client="webadmin.plx" lock="none" method="get_SID"
This thread was automatically locked due to age.