> > Jan 1 01:01:01 > > mail.abc.com#011MSWinEventLog#0111#011Security#0114169#011Fri > > > > while in syslog format it does > > > > Jan 1 01:01:01 mail.abc.com MSWinEventLog#011Security#0114169#011Fri > > > >
First things first: I really don't like to dig into snare, as I do not think it is a really good solution (but how could the designer of http://www.eventreporter.com say otherwise? ;)). so I assume you are talking about this message: mail.abc.com#011MSWinEventLog#0111#011Security#0114169#011Fri > Basically rsyslogd should respect RFC 3164 (Any non-alphanumeric > character > will terminate the TAG field and will be assumed to be the starting > character of the CONTENT field.) Another thing to put straight: RFC3164 is NOT a standard, it is an informational document that describes things seen on the wire. And it does not even describe all *popular* cases. If it all, it gains some standard function via RFC3195, but this is questionable. Just for the records ;) So the key point here is that we have nothing to "respect" or "obey to", but rather something that describes things seen in practice. For any decent syslog receiver, this means it must try to work equally well with everything that comes in via legacy syslog. But, granted, RFC3164 is useful if we have nothing else to look at. So let's do that. We'll immediately see that snare is broken, because no control characters are allowed in the hostname. So rsyslog does the right thing and escapes these characters. So everthing belongs to the hostname and thus you have problems with tag. Damn... I didn't want to say somethign about snare. Now it has happened again. My conclusion: fix snare or use something that works ;) Rainer > > The result would be: > TAG: '' > MSG: '#011MSWinEventLog#0111#011Security#0114169#011Fri...' > > At least I think, any thoughts Rainer? > > The following works for me: > // If first character not alpha-numeric, skip tag parsing > if( !isalphanum((int)*p2parse) ) > bTAGCharDetected = 1; > > Is this bad for other loggers? > > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
