Hi, Radu was right, I was thinking of doing a small change in liblognorm RFC5424 parser, nothing fancy (docs say that "Slightly different formats are allowed."): https://github.com/rsyslog/liblognorm/blob/master/src/parser.c#L188
Reading the above, not sure if it desired or a new parser would be required. New issue added here: https://github.com/rsyslog/liblognorm/issues/177 Thanks, Ciprian -- Performance Monitoring * Log Analytics * Search Analytics Solr & Elasticsearch Support * http://sematext.com/ On Tue, Nov 24, 2015 at 10:54 AM, Rainer Gerhards <[email protected]> wrote: > ahhh, I was so focussed on the RFC5424 parser. If it's lognorm, I > suggest to add a feature request tracker. I am right now cleaning up > things, but starting January I can begin to larger implementation. And > if it turns out to be small, I may be able to sneak it in. But let's > file a bug tracker with all relevant info, that makes it much more > probably this will materialize. > > Rainer > > 2015-11-24 9:47 GMT+01:00 Radu Gheorghe <[email protected]>: > > Hello, > > > > I think the actual need for this functionality would be outside > > RFC5424. Or RFC3164 for that matter. > > > > It sounds like Vicks (and also Ciprian and I) would need it as a > > function of mmnormalize/liblognorm so that we can parse logs from > > files. This different format in the Email is something I often see in > > Java logs. > > > > The more general use-case would be to parse all kinds of date formats > > (mysql, apache, whatever - it seems like there's a billion of them). > > Currently the only option I'm aware of is to hack around with parsing > > different parts of the date as a string and stitching it in the > > template. All very ugly. > > > > @Ciprian and Vicks: please let me know if I misinterpreted what you > > wanted. What I describe here is what I would find useful. > > > > Best regards, > > Radu > > > > P.S. Now that I think of it, it wouldn't be only useful for parsing > > logs from files. It could be that some apps just send logs over TCP > > (say, newline-delimited) that don't comply to either of the syslog > > RFCs. And then we could use mmnormalize to parse them. Goes into the > > direction of "rsyslog is not only for syslog". > > -- > > Performance Monitoring * Log Analytics * Search Analytics > > Solr & Elasticsearch Support * http://sematext.com/ > > > > > > On Tue, Nov 24, 2015 at 10:37 AM, Rainer Gerhards > > <[email protected]> wrote: > >> 2015-11-24 9:18 GMT+01:00 David Lang <[email protected]>: > >>> On Tue, 24 Nov 2015, Ciprian Hacman wrote: > >>> > >>>> I was actually thinking of creating a PR for accepting " " instead of > "T" > >>>> between date and time. > >>>> @Rainer: Would it be ok? > >>> > >>> > >>> my reaction is that it depends on how paranoid the rest of the code > is. Is > >>> there any chance that this will cause it to misinterpret something > else as a > >>> match? > >> > >> No, but the current stance of the IETF is "if it's malformed, than > >> it's dangerous". I think that paradigm is correct to follow these > >> days. An option would work, but the default should be to comply with > >> RFC rules. > >> > >> Rainer > >>> > >>> David Lang > >>> > >>> _______________________________________________ > >>> rsyslog mailing list > >>> http://lists.adiscon.net/mailman/listinfo/rsyslog > >>> http://www.rsyslog.com/professional-services/ > >>> What's up with rsyslog? Follow https://twitter.com/rgerhards > >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad of > >>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T > >>> LIKE THAT. > >> _______________________________________________ > >> rsyslog mailing list > >> http://lists.adiscon.net/mailman/listinfo/rsyslog > >> http://www.rsyslog.com/professional-services/ > >> What's up with rsyslog? Follow https://twitter.com/rgerhards > >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if > you DON'T LIKE THAT. > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
