Re: [rsyslog] Patch: RFC-3339 timezone parsing fixes

Thu, 13 Dec 2012 11:48:34 -0800 

On Thu, 13 Dec 2012, Rainer Gerhards wrote:


-----Original Message-----
From: [email protected] [mailto:rsyslog-
[email protected]] On Behalf Of Scott Severtson
Sent: Monday, December 10, 2012 5:28 PM
To: rsyslog-users
Subject: [rsyslog] Patch: RFC-3339 timezone parsing fixes

Per RFC-3339, these timezones are legal:
Z
+06:00
+0600
+06


Mhhh... This is a bit complicated. As far as I read 3339, the last two formats 
are incorrect. In section 5.6 (inside the normative part of the RFC) it says:

time-numoffset  = ("+" / "-") time-hour ":" time-minute

However, in appendix A it lists the ISO definitions with this ABNF:

[snip]

The spec includes the following ABNF constructs:

    time-numoffset    = ("+" / "-") time-hour [[":"] time-minute]
    time-zone         = "Z" / time-numoffset

    timeopt-hour      = "-" / (time-hour [":"])
    timeopt-minute    = "-" / (time-minute [":"])



Given the usual understanding, the appendix is non-normative (especially when 
contrary to the normative text).

So I conclude that the last two formats you described are not valid under 
RFC3339 and thus not valid under RFC5424 as well.

As a result, the patch would need to be controlled by an option which turns its 
non-standard behavior on. I know it's nit-picking, but if we misinterpret a 
format we can end up with a lot of problems...

Comments appreciated.
Rainer


We have several log sources which omit the optional ":" separator in
the
timezone. We've developed the attached patch to improve Rsyslog's
support for valid RFC-3339 timezones.

One other minor fix in the patch - OffsetHour was originally declared
as
a "char" instead of an "int".

--Scott
What are the sources of the problem logs? if they are a common enough vendor, it may be worth the risk of misparsing messages to deal with this vendor.
My gut reaction is that not requiring the : isn't likely to misparse many logs that are otherwise parsed. 

David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to