ahhh, I was so focussed on the RFC5424 parser. If it's lognorm, I suggest to add a feature request tracker. I am right now cleaning up things, but starting January I can begin to larger implementation. And if it turns out to be small, I may be able to sneak it in. But let's file a bug tracker with all relevant info, that makes it much more probably this will materialize.
Rainer 2015-11-24 9:47 GMT+01:00 Radu Gheorghe <[email protected]>: > Hello, > > I think the actual need for this functionality would be outside > RFC5424. Or RFC3164 for that matter. > > It sounds like Vicks (and also Ciprian and I) would need it as a > function of mmnormalize/liblognorm so that we can parse logs from > files. This different format in the Email is something I often see in > Java logs. > > The more general use-case would be to parse all kinds of date formats > (mysql, apache, whatever - it seems like there's a billion of them). > Currently the only option I'm aware of is to hack around with parsing > different parts of the date as a string and stitching it in the > template. All very ugly. > > @Ciprian and Vicks: please let me know if I misinterpreted what you > wanted. What I describe here is what I would find useful. > > Best regards, > Radu > > P.S. Now that I think of it, it wouldn't be only useful for parsing > logs from files. It could be that some apps just send logs over TCP > (say, newline-delimited) that don't comply to either of the syslog > RFCs. And then we could use mmnormalize to parse them. Goes into the > direction of "rsyslog is not only for syslog". > -- > Performance Monitoring * Log Analytics * Search Analytics > Solr & Elasticsearch Support * http://sematext.com/ > > > On Tue, Nov 24, 2015 at 10:37 AM, Rainer Gerhards > <[email protected]> wrote: >> 2015-11-24 9:18 GMT+01:00 David Lang <[email protected]>: >>> On Tue, 24 Nov 2015, Ciprian Hacman wrote: >>> >>>> I was actually thinking of creating a PR for accepting " " instead of "T" >>>> between date and time. >>>> @Rainer: Would it be ok? >>> >>> >>> my reaction is that it depends on how paranoid the rest of the code is. Is >>> there any chance that this will cause it to misinterpret something else as a >>> match? >> >> No, but the current stance of the IETF is "if it's malformed, than >> it's dangerous". I think that paradigm is correct to follow these >> days. An option would work, but the default should be to comply with >> RFC rules. >> >> Rainer >>> >>> David Lang >>> >>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com/professional-services/ >>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of >>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >>> LIKE THAT. >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of >> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >> LIKE THAT. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
