On Wed, 28 Oct 2009, Rainer Gerhards wrote: >>> Jan 1 01:01:01 >>> mail.abc.com#011MSWinEventLog#0111#011Security#0114169#011Fri >>> >>> while in syslog format it does >>> >>> Jan 1 01:01:01 mail.abc.com MSWinEventLog#011Security#0114169#011Fri >>> >>> > > First things first: I really don't like to dig into snare, as I do not think > it is a really good solution (but how could the designer of > http://www.eventreporter.com say otherwise? ;)). > > so I assume you are talking about this message: > > mail.abc.com#011MSWinEventLog#0111#011Security#0114169#011Fri > >> Basically rsyslogd should respect RFC 3164 (Any non-alphanumeric >> character >> will terminate the TAG field and will be assumed to be the starting >> character of the CONTENT field.) > > Another thing to put straight: RFC3164 is NOT a standard, it is an > informational document that describes things seen on the wire. And it does > not even describe all *popular* cases. If it all, it gains some standard > function via RFC3195, but this is questionable. Just for the records ;) > > So the key point here is that we have nothing to "respect" or "obey to", but > rather something that describes things seen in practice. For any decent > syslog receiver, this means it must try to work equally well with everything > that comes in via legacy syslog. But, granted, RFC3164 is useful if we have > nothing else to look at. > > So let's do that. We'll immediately see that snare is broken, because no > control characters are allowed in the hostname. So rsyslog does the right > thing and escapes these characters. So everthing belongs to the hostname and > thus you have problems with tag.
two other valid behaviors 1. it has a control character in the first text field, so that cannot be a hostname or a tag, so it must be part of the message (after doing the escaping) 2. treat running into a tab like running into a space I think #1 would be better than what we do today, but #2 would be the best for users. David Lang > Damn... I didn't want to say somethign about snare. Now it has happened > again. My conclusion: fix snare or use something that works ;) > > Rainer > >> >> The result would be: >> TAG: '' >> MSG: '#011MSWinEventLog#0111#011Security#0114169#011Fri...' >> >> At least I think, any thoughts Rainer? >> >> The following works for me: >> // If first character not alpha-numeric, skip tag parsing >> if( !isalphanum((int)*p2parse) ) >> bTAGCharDetected = 1; >> >> Is this bad for other loggers? >> >> >> >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
