On Tue, Apr 02, 2002 at 11:08:23PM +1200, Andrew Ross wrote:
>
> I'm just updating my parsing code to work with the RFC 3164 standard and
> have come across a few issues. I was wondering if anyone else has come
> across this or could offer a solution.
>
> 1). Solaris 8 sends messages in the following format...
> <38>Apr 2 11:41:25 sshd[12345]: [ID 54321 auth.info] Accepted password
>
> It is missing the hostname field in the header, but has a valid PID. What do
> we do here? Do we assume the host address is the socket peer address and
> insert it? Or do we assume the hostname is "sshd[12345]:" and the PID is
> "[ID"? which is obviously not correct (to a human). Do we just mark the
> packet as having an invalid header and treat the whole thing (after the
> priority field) as message text and not try and extract details from it?
>
> Do we make an exception for Solaris for being "nearly" right and try and
> 'fix it' by looking for a Unix PID[1234] type sequence and inserting the
> socket peer address?
A gotcha that pops up from time to time on Solaris 8: the "TAG" field
can have a space in it. This means you'll get logs like:
<131>Apr 2 08:44:49 ctld 5.0.6[17557]: [ID 702911 local0.error] [0] Error: unable to
read header - Status: NoMoreData.
The program name ("TAG" field IIRC) is "ctld 5.0.6". When solaris sends
network syslog messages without the hostname (as it does on SunOS
5.6-5.8, all I have at work to check), this makes standard syslog
parsing code think the hostname is "ctld".
I had to write my own syslog proxy daemon to fix this before my syslog
daemon writes them to disk (archived by hostname, so I need the
hostnames correct). Your code to account for the missing hostname will
also have to account for cases where the pid is missing. Of course this
is almost impossible to do, what about:
<23>Apr 2 08:11:36 last message repeated 1 time
Do you put in special logic for common words that appear in the hostname
field but aren't really hostnames? What if you have a host that really
is called "last"? This is starting to hurt my head. I really wish
Solaris sent the darn hostname.
--
Nate
"If you put a billion monkeys in front of a billion typewriters typing
at random, they would reproduce the entire collected works of Usenet in
about ... five minutes." -Anon.
"Come to think of it, there are already a million monkeys on a million
typewriters, and the Usenet is NOTHING like Shakespeare!" -Blair Houghton
