<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:#0563C1;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:#954F72;
        text-decoration:underline;}
pre
        {mso-style-priority:99;
        mso-style-link:"HTML Preformatted Char";
        margin:0in;
        margin-bottom:.0001pt;
        font-size:10.0pt;
        font-family:"Courier New";}
span.HTMLPreformattedChar
        {mso-style-name:"HTML Preformatted Char";
        mso-style-priority:99;
        mso-style-link:"HTML Preformatted";
        font-family:"Courier New";}
span.EmailStyle19
        {mso-style-type:personal;
        font-family:"Calibri","sans-serif";
        color:windowtext;}
span.EmailStyle20
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">And sure enough, if you post, you can stumble across the bug and it’s fix #238. Apologies.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">So, my outstanding question at this point – has anyone an EL6 spec/patch set handy?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu]
<b>On Behalf Of </b>John Cole<br>
<b>Sent:</b> Monday, July 21, 2014 4:20 PM<br>
<b>To:</b> syslog-ng@lists.balabit.hu<br>
<b>Subject:</b> [syslog-ng] syslog driver parse bug?<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="page-break-before:always"><span style="font-size:12.0pt;font-family:"Courier New";color:black">Apologies if I missed a bugfix in my web searching and manually scanning the changelogs.<o:p></o:p></span></p>
<p class="MsoNormal" style="page-break-before:always"><span style="font-size:12.0pt;font-family:"Courier New";color:black"><o:p> </o:p></span></p>
<p class="MsoNormal" style="page-break-before:always"><span style="font-size:12.0pt;font-family:"Courier New";color:black">I’m running syslog-ng (syslog-ng-3.2.5-3.el6.x86_64) on EL6 with the syslog driver as my network source:<o:p></o:p></span></p>
<p class="MsoNormal" style="page-break-before:always"><span style="font-size:12.0pt;font-family:"Courier New";color:black">source s_network {<o:p></o:p></span></p>
<p class="MsoNormal" style="page-break-before:always"><span style="font-size:12.0pt;font-family:"Courier New";color:black"> syslog(ip(0.0.0.0) transport("udp") port(514));<o:p></o:p></span></p>
<p class="MsoNormal" style="page-break-before:always"><span style="font-size:12.0pt;font-family:"Courier New";color:black"> syslog(ip(0.0.0.0) transport("tcp") port(514));<o:p></o:p></span></p>
<p class="MsoNormal" style="page-break-before:always"><span style="font-size:12.0pt;font-family:"Courier New";color:black">};<o:p></o:p></span></p>
<p class="MsoNormal" style="page-break-before:always"><span style="font-size:12.0pt;font-family:"Courier New";color:black"><o:p> </o:p></span></p>
<pre style="page-break-before:always"><span style="font-size:12.0pt;color:black">I have an application that does not have an internal synchronized clock source. Per RFC5424, “A syslog application MUST use the NILVALUE as TIMESTAMP if the syslog application is incapable of obtaining system time.” And, the grammar shows TIMESTAMP = NILVALUE / FULL-DATE "T" FULL-TIME<o:p></o:p></span></pre>
<p class="MsoNormal" style="page-break-before:always"><span style="font-size:12.0pt;font-family:"Courier New";color:black"><o:p> </o:p></span></p>
<p class="MsoNormal" style="page-break-before:always"><span style="font-size:12.0pt;font-family:"Courier New";color:black">When I specify the “-“ NILVALUE in the syslog message, the syslog driver does not seem to be able to parse the message and does not log
anything.<o:p></o:p></span></p>
<p class="MsoNormal" style="page-break-before:always"><span style="font-size:12.0pt;font-family:"Courier New";color:black"><o:p> </o:p></span></p>
<p class="MsoNormal" style="page-break-before:always"><span style="font-size:12.0pt;font-family:"Courier New";color:black">If I hardcode a time value, all message fields seem to post appropriately.<o:p></o:p></span></p>
<p class="MsoNormal" style="page-break-before:always"><span style="font-size:12.0pt;font-family:"Courier New";color:black"><o:p> </o:p></span></p>
<p class="MsoNormal" style="page-break-before:always"><span style="font-size:12.0pt;font-family:"Courier New";color:black">Is this a new issue, or did I miss a version that addressed the handling of NILVALUE? Given RedHat lagging on versions, and Fedora’s
subsequent changes, I haven’t yet begun the effort of retrofitting the RPM source in RAWHIDE to test, with the hope that someone might recognize the bug, or have a pointer to a EL6 SRPM so I can test against latest…<o:p></o:p></span></p>
<p class="MsoNormal" style="page-break-before:always"><span style="font-size:12.0pt;font-family:"Courier New";color:black"><o:p> </o:p></span></p>
<p class="MsoNormal" style="page-break-before:always"><span style="font-size:12.0pt;font-family:"Courier New";color:black">Thanks for any/all pointers for a quick resolution!<o:p></o:p></span></p>
<p class="MsoNormal" style="page-break-before:always"><span style="font-size:12.0pt;font-family:"Courier New";color:black"><o:p> </o:p></span></p>
<p class="MsoNormal" style="page-break-before:always"><span style="font-size:12.0pt;font-family:"Courier New";color:black">John</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>