-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
rfc5424 syslog not parsed properly #2815
Comments
2nd issue makes sense to me. and I've confirmed it doesn't work. These two test works without any change in my local env. Do you have any example to reproduce it? |
@ganmacs thank you for quick responding. for the second issue, could you explain more about why it doesn't work? for the |
Oh, sorry... Your suggestion is correct. I said that I had confirmed that current fluentd failed this test .
👍 |
@ganmacs sure, thank you for your confirmation |
Check CONTRIBUTING guideline first and here is the list to help us investigate the problem.
Describe the bug
rfc5424 syslog can't be parsed with only regex.
Examples for incorrect behavior
[]
characters in message:Give this log message:
because fluentd parse extradata with
(\[(.*)\]
, it will consider the real message part as extra data as well, which is incorrectsource at https://github.com/fluent/fluentd/blob/master/lib/fluent/plugin/parser_syslog.rb#L30
rfc reference at https://tools.ietf.org/html/rfc5424#section-6.3
as docmented here https://tools.ietf.org/html/rfc5424#section-6.4 the MSG
regex just can't deal with it.
Your Environment
fluentd v1.9.1
Proposals for fixing
For issues like given in the examples, I can fix it by slightly enhance the regex. However, since
rfc5424
is indeed a binary-based protocol, regex is definitely not the way that we should go at the end of the day.Instead, we need to find a way to properly implement rfc5424 parsing, probably by integrate with a 3rd party library. However, I can't help with this part in a reasonable short term since I don't know ruby at all.
The text was updated successfully, but these errors were encountered: