[
https://issues.apache.org/jira/browse/METRON-941?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16360047#comment-16360047
]
ASF GitHub Bot commented on METRON-941:
---------------------------------------
Github user ctramnitz commented on the issue:
https://github.com/apache/metron/pull/579
8.0 log format is also working now
In the latest two commits I included the changed tests from @justinleet but
changed the expected input from full syslog messages including syslog header
into just the syslog message aka payload.
It is not safe to assume that the previously used syslog header (in old
RFC3164 format) will be used by anyone. Until we have something generic to
(pre-)parse syslog before it reaches the message parser I assumed the messages
will be stripped off the syslog header for now.
This works nicely with the rsyslog config snippet above.
The PR should be ready for prime-time now. Please let me know if anything
else needs to be changed.
> native PaloAlto parser corrupts message when having a comma in the payload
> --------------------------------------------------------------------------
>
> Key: METRON-941
> URL: https://issues.apache.org/jira/browse/METRON-941
> Project: Metron
> Issue Type: Bug
> Affects Versions: 0.4.0
> Environment: full-dev master
> Reporter: Christian Tramnitz
> Priority: Minor
>
> When a data field contains a comma (i.e. the URL, not too uncommon), the
> split(",") kicks in and the rest of the message if off by few fields due to
> positional definition.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
