[syslog-ng] syslog driver parse bug?

Mon Jul 21 22:57:50 CEST 2014

And sure enough, if you post, you can stumble across the bug and it's fix #238.   Apologies.

So, my outstanding question at this point - has anyone an EL6 spec/patch set handy?

From: syslog-ng-bounces at lists.balabit.hu [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of John Cole
Sent: Monday, July 21, 2014 4:20 PM
To: syslog-ng at lists.balabit.hu
Subject: [syslog-ng] syslog driver parse bug?

Apologies if I missed a bugfix in my web searching and manually scanning the changelogs.

I'm running syslog-ng (syslog-ng-3.2.5-3.el6.x86_64) on EL6 with the syslog driver as my network source:
source s_network {
        syslog(ip(0.0.0.0) transport("udp") port(514));
        syslog(ip(0.0.0.0) transport("tcp") port(514));
};

I have an application that does not have an internal synchronized clock source.  Per RFC5424, "A syslog application MUST use the NILVALUE as TIMESTAMP if the syslog application is incapable of obtaining system time."   And, the grammar shows TIMESTAMP = NILVALUE / FULL-DATE "T" FULL-TIME

When I specify the "-" NILVALUE in the syslog message, the syslog driver does not seem to be able to parse the message and does not log anything.

If I hardcode a time value, all message fields seem to post appropriately.

Is this a new issue, or did I miss a version that addressed the handling of NILVALUE?  Given RedHat lagging on versions, and Fedora's subsequent changes, I haven't yet begun the effort of retrofitting the RPM source in RAWHIDE to test, with the hope that someone might recognize the bug, or have a pointer to a EL6 SRPM so I can test against latest...

Thanks for any/all pointers for a quick resolution!

John

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20140721/440668b5/attachment.htm 