Semi off-topic: release EventReporter under the same license as rsyslog and you'll win a lot of happy friends ;-)
Cheers > -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of Rainer Gerhards > Sent: 28 October 2009 14:13 > To: rsyslog-users > Subject: Re: [rsyslog] rsyslog and snare > > > > Jan 1 01:01:01 > > > mail.abc.com#011MSWinEventLog#0111#011Security#0114169#011Fri > > > > > > while in syslog format it does > > > > > > Jan 1 01:01:01 mail.abc.com MSWinEventLog#011Security#0114169#011Fri > > > > > > > > First things first: I really don't like to dig into snare, as I do not > think > it is a really good solution (but how could the designer of > http://www.eventreporter.com say otherwise? ;)). > > so I assume you are talking about this message: > > mail.abc.com#011MSWinEventLog#0111#011Security#0114169#011Fri > > > Basically rsyslogd should respect RFC 3164 (Any non-alphanumeric > > character > > will terminate the TAG field and will be assumed to be the starting > > character of the CONTENT field.) > > Another thing to put straight: RFC3164 is NOT a standard, it is an > informational document that describes things seen on the wire. And it does > not even describe all *popular* cases. If it all, it gains some standard > function via RFC3195, but this is questionable. Just for the records ;) > > So the key point here is that we have nothing to "respect" or "obey to", > but > rather something that describes things seen in practice. For any decent > syslog receiver, this means it must try to work equally well with > everything > that comes in via legacy syslog. But, granted, RFC3164 is useful if we > have > nothing else to look at. > > So let's do that. We'll immediately see that snare is broken, because no > control characters are allowed in the hostname. So rsyslog does the right > thing and escapes these characters. So everthing belongs to the hostname > and > thus you have problems with tag. > > Damn... I didn't want to say somethign about snare. Now it has happened > again. My conclusion: fix snare or use something that works ;) > > Rainer > > > > > The result would be: > > TAG: '' > > MSG: '#011MSWinEventLog#0111#011Security#0114169#011Fri...' > > > > At least I think, any thoughts Rainer? > > > > The following works for me: > > // If first character not alpha-numeric, skip tag parsing > > if( !isalphanum((int)*p2parse) ) > > bTAGCharDetected = 1; > > > > Is this bad for other loggers? > > > > > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com > /rsyslog > http://www.rsyslog.com This email and any attachments are confidential, and may be legally privileged and protected by copyright. If you are not the intended recipient dissemination or copying of this email is prohibited. If you have received this in error, please notify the sender by replying by email and then delete the email completely from your system. Any views or opinions are solely those of the sender. This communication is not intended to form a binding contract unless expressly indicated to the contrary and properly authorised. Any actions taken on the basis of this email are at the recipient's own risk. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
