[syslog-ng] Can TAG field be terminated by space?
Balazs Scheidler
bazsi at balabit.hu
Tue Oct 23 18:50:50 CEST 2007
On Mon, 2007-10-22 at 18:26 +0900, Tsurusawa Takeshi wrote:
> Hi,
>
> I'm using syslog-ng-2.0.5 and trying to store syslog messages into a DB table with
> a TAG field column.
>
> But when TAG fileld is terminated with space character(' ') in syslog message,
> syslog-ng parser returns as TAG field not only TAG field but also some extra strings
> end with a colon(':') in CONTENT field.
>
> For example, if MSG part is "program abc: message...", syslog-ng returns
> "program abc" as a TAG field.
>
> According to the section 4.1.3 of RFC3164, a space character can also terminate a TAG field.
>
> The TAG is a string of
> ABNF alphanumeric characters that MUST NOT exceed 32 characters. Any
> non-alphanumeric character will terminate the TAG field and will be
> assumed to be the starting character of the CONTENT field. Most
> commonly, the first character of the CONTENT field that signifies the
> conclusion of the TAG field has been seen to be the left square
> bracket character ("["), a colon character (":"), or a space
> character.
>
> Is it possible to change this behavior of syslog-ng?
I'm usually reluctant to make such changes as it is very easy to create
regressions when changing the log parsing code.
However there were two similar cases in the message parsing code that
used different TAG terminator characters, thus I unified the two. (one
was using space as separator).
Here's the patch:
http://git.balabit.hu/?p=bazsi/syslog-ng-2.0.git;a=commit;h=4a84d904fe0fc5b3627773bafe6966ad9037386d
tomorrow's snapshot should also contain the change.
--
Bazsi
More information about the syslog-ng
mailing list