CVE-2021-44228-Scanner: Wrong format of the syslog messages

Your syslog message looks at the moment like this

<133>{"time": "2022-01-01 19:35:25+0100", "hostname": "checkmk", "path": "/usr/bin/pycharm/pycharm-community-2021.1.3/lib/log4j.jar", "entry": "", "product": "Log4j 1", "version": "1.2.17.2", "cve": "CVE-2021-4104", "status": "MITIGATED", "fixed": false}

Acording to RFC5424 the header (the stuff before the STRUCTURED-DATA/MESSAGE) should look like this

PRI VERSION SP TIMESTAMP SP HOSTNAME SP APP-NAME SP PROCID SP MSGID

followed by SP STRUCTURED-DATA [SP MSG] (structured data must always be encoded in UTF-8). If the MESSAGE is UTF-8 encoded it must start with the BOM (BOM = %xEF.BB.BF).

You are using only the PRI (Facility/Severity) field (<133>) and the Message. This causes problems with some syslog implementations as the expect the message to be like in the RFC.

If you want to skip optional fileds you can use the NILVALUE (-).

So your syslog message should look at least like this

<133> 1 - - - - - - {your message}

It would be nice to have the TIMESTAMP, HOSTNAME and APP-NAME populated like this (skipped PROCID, MSGID and STRUCTURED-DATA)

<133> 1 2022-01-01T23:20:50.52Z CHECKMK LOG4J-SCANNER - - - {your message}