[nxlog-ce-users] Patch: parse_syslog_ietf()

Thu, 04 Feb 2016 02:09:25 -0800 

Hello,

parsing of "STRUCTURED-DATA" in syslog_parse_structured_data() allows
for "SP" to appear between two "SD-ELEMENT"s. It it an error: such a
SP always designates _end_ of STRUCTURED-DATA. I am attaching a patch
which resolves both this little error and a typo in BOM removal. There
are even more SPs allowed in syslog_parse_structured_data() which are
not in the RFC5424, but these do not influence parser's bahavior so I
left them untouched.

An example of message which triggers the bad parsing:

<12>1 2016-02-03T00:03:01.000000+01:00 172.16.0.41 VMware_Tools 0 -
[NXLOG@14506 UserID="SYSTEM" AccountType="User"] [warning]
[vmsvc:autoUpgrade] vmx returned Autoupgrade is not allowed by policy
for guest.initiateUpgradeAtShutdown.

-> expected behavior: $Message = "[warning] [vmsvc:autoUpgrade]
vmx...AtShutdown."

-> current behavior $Message = "[NXLOG@14506 UserID=...AtShutdown."

Milan

Index: nxlog-ce-2.8.1248/src/modules/extension/syslog/syslog.c
===================================================================
--- nxlog-ce-2.8.1248.orig/src/modules/extension/syslog/syslog.c
+++ nxlog-ce-2.8.1248/src/modules/extension/syslog/syslog.c
@@ -900,7 +900,6 @@ static const char *syslog_parse_structur
 
     for ( ; *ptr != '\0'; ptr++ )
     {
-	for ( ; *ptr == ' '; ptr++ ); // skip space
 	if ( *ptr != '[' )
 	{ // no SD-ELEMENT found
 	    return ( ptr );
@@ -1091,7 +1090,8 @@ boolean nx_syslog_parse_rfc5424(nx_logda
     if ( *ptr == ' ' ) ptr++; // skip space
 
     // MESSAGE
-    if ( (ptr[0] == 0xEF) && (ptr[0] == 0xBB) && (ptr[0] == 0xBF) )
+    if ( (ptr + 3 <= msgend) &&
+         (ptr[0] == 0xEF) && (ptr[1] == 0xBB) && (ptr[2] == 0xBF) )
     { //Skip UTF8 BOM
 	ptr += 3;
     }

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
nxlog-ce-users mailing list
nxlog-ce-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nxlog-ce-users

Reply via email to