[syslog-ng] syslog driver parse bug?
John Cole
jcole at symbotic.com
Mon Jul 21 22:20:23 CEST 2014
Apologies if I missed a bugfix in my web searching and manually scanning the changelogs.
I'm running syslog-ng (syslog-ng-3.2.5-3.el6.x86_64) on EL6 with the syslog driver as my network source:
source s_network {
syslog(ip(0.0.0.0) transport("udp") port(514));
syslog(ip(0.0.0.0) transport("tcp") port(514));
};
I have an application that does not have an internal synchronized clock source. Per RFC5424, "A syslog application MUST use the NILVALUE as TIMESTAMP if the syslog application is incapable of obtaining system time." And, the grammar shows TIMESTAMP = NILVALUE / FULL-DATE "T" FULL-TIME
When I specify the "-" NILVALUE in the syslog message, the syslog driver does not seem to be able to parse the message and does not log anything.
If I hardcode a time value, all message fields seem to post appropriately.
Is this a new issue, or did I miss a version that addressed the handling of NILVALUE? Given RedHat lagging on versions, and Fedora's subsequent changes, I haven't yet begun the effort of retrofitting the RPM source in RAWHIDE to test, with the hope that someone might recognize the bug, or have a pointer to a EL6 SRPM so I can test against latest...
Thanks for any/all pointers for a quick resolution!
John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20140721/82bf6d63/attachment.htm
More information about the syslog-ng
mailing list