On Wed, 28 Oct 2009, Rainer Gerhards wrote: >> -----Original Message----- >> From: [email protected] [mailto:rsyslog- >> [email protected]] On Behalf Of [email protected] >> >> two other valid behaviors >> >> 1. it has a control character in the first text field, so that cannot >> be a >> hostname or a tag, so it must be part of the message (after doing the >> escaping) >> >> 2. treat running into a tab like running into a space >> >> I think #1 would be better than what we do today, but #2 would be the >> best >> for users. > > The problem with all that is that it breaks message sanitation. When a > message hits rsyslog, it first is sanitized (which is important for security > reasons, e.g. to prevent NUL characters to make parts of the messages > unreadable and, later, to prevent the myriad of Unicode-based > Vulnerabilites). > > So when it hits the parser, the is no such thing like a HT present anymore. > What we could do, however, is add an option that tells the sanitizer to > replace HT by SP in all cases.
this is not as good because the tabs are useful in the message itself, it acts as a field seperator for the different fields from the windows logs, and the fields themselves can contain spaces, so if you replace them with tabs you no longer have any way to identify individual fields. the parser could look for # (which is not a valid character in a hostname, and I don't think it's valid in a tag), then if it's #011 treat is as a space for seperating the hoatname/tag/message and if it's anything else, make that the start of the message. David Lang _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
