[
https://issues.apache.org/jira/browse/FLUME-1666?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13791469#comment-13791469
]
Mike Peterson edited comment on FLUME-1666 at 10/10/13 1:32 PM:
----------------------------------------------------------------
I'm not very familiar with Java, but it looks like the old patch (from
24/Oct/12 05:36) drops some of the information from the date header when it
parses the header with the java Date() function. Most notably I believe it
drops milliseconds.
Is this really the issue or am I looking at something wrong? If so, has this
been fixed with the new patch? i.e. does all the information that goes into the
header get added back to the message body and nothing is dropped?
Edit: It also looks like it gives the wrong Time Zone information. Here's an
example of a syslog source coming in that I listened to via netcat....
<166>2013-10-10T13:27:11.935Z
Here's a timestamp from a source that came in a little earlier
Wed Oct 09 13:33:22 EDT 2013
Note the millisecond (935) has been dropped and it's been read as EDT instead
of UTC (Z) time.
was (Author: mpeterson):
I'm not very familiar with Java, but it looks like the old patch (from
24/Oct/12 05:36) drops some of the information from the date header when it
parses the header with the java Date() function. Most notably I believe it
drops milliseconds.
Is this really the issue or am I looking at something wrong? If so, has this
been fixed with the new patch? i.e. does all the information that goes into the
header get added back to the message body and nothing is dropped?
> Syslog source strips timestamp and hostname from log message body
> -----------------------------------------------------------------
>
> Key: FLUME-1666
> URL: https://issues.apache.org/jira/browse/FLUME-1666
> Project: Flume
> Issue Type: Bug
> Components: Sinks+Sources
> Affects Versions: v1.2.0, v1.3.0
> Environment: This occurs with Flume all the way up through 1.3.0.
> Reporter: Josh West
> Assignee: Jeff Lord
> Fix For: v1.5.0
>
> Attachments: FLUME-1666-1.patch, FLUME-1666-2.patch,
> FLUME-1666-3.patch, FLUME-1666-4.patch, FLUME-1666-SyslogTextSerializer.patch
>
>
> The syslog source parses incoming syslog messages. In the process, it strips
> the timestamp and hostname from each log message, and places them as Event
> headers.
> Thus, a syslog message that would normally look like so (when written via
> rsyslog or syslogd):
> {noformat}
> Wed Oct 24 09:18:01 UTC 2012 someserver /USR/SBIN/CRON[26981]: (root) CMD
> (/usr/local/sbin/somescript)
> {noformat}
> Appears in flume output as:
> {noformat}
> /USR/SBIN/CRON[26981]: (root) CMD (/usr/local/sbin/somescript)
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.1#6144)
