[syslog-ng] Minimum Syslog Message Length

[Gergely Nagy]

Balazs Scheidler <bazsi at balabit.hu> writes:

> On Thu, 2011-12-15 at 08:53 -0500, vincent at ragosta.net wrote:
>> Is it possible to specify a restriction on the minimum length of a
>> syslog message?  We often receive small, malformed messages that we do
>> not want to transmit.
>
> Right now it isn't. Maybe if you could match against them with a regexp,
> though that could be expensive. IIRC PCRE has repetition count limits,
> so you could do something like:
>
> To match for maximum 16 characters.
>
> filter f_malformed { match('.{,16}'); };
>
> I'm not sure about the syntax though.

Another option is to write a template function that returns the string
length, and combine that with $(if).

So we'd end up with something like this:

f_malformed {
 match ('-', value ("$(if ($(length "${MSG}") <= 16) "-" "+")"));
};

The if would return - if the message is shorter or equal to 16 chars, +
otherwise, and the match would match only those that are -.

This might be faster than the regexp trick, but requires writing the
length template function. Doing so would be very easy though, about 10
lines of code or so.

-- 
|8]