[syslog-ng] date parser

Sun Oct 25 21:15:23 CET 2015

Hi,

I am basically done with cleaning up the stuff. You can find my latest
version at https://github.com/balabit/syslog-ng/tree/f/date-parser

I still have to clean up the branch, it is currently just a dump of
patches, but the final state should be pretty close that I'd try to push
for integration.

There's one issue that is still open: strptime() at least as implemented in
various libc versions is unusable, so we should probably roll our own
implementation. Reasons:

1) tm_gmtoff is not portable
2) %z as a parsing format is not portable
3) %z doesn't accept ISO8601 standard zone offsets when there's a colon
between hours and minutes

Also, it can be affected by locale settings (which is not good for the
syslog-ng case) and is probably very slow. (at one point syslog-ng used
strptime for normal log traffic and I remember replacing it with hand-coded
routines increased performance a lot). I'll try to get an strptime
implementation from somewhere and tailor it to our needs.

Any feedback is appreciated.
Bazsi

-- 
Bazsi

On Sun, Oct 25, 2015 at 4:44 PM, Scheidler, Balázs <
balazs.scheidler at balabit.com> wrote:

> Hi,
>
> As I see you assume a date is from UTC if there's no timezone information.
> I would think that using the local timezone is more intuitive in this case:
>
>   testcase("Tue, 27 Jan 2015 11:48:46", NULL, "%a, %d %b %Y %T",
> "2015-01-27T11:48:46+00:00");
>
> What do you think?
>
>
> --
> Bazsi
>
> On Sun, Oct 25, 2015 at 12:36 PM, Scheidler, Balázs <
> balazs.scheidler at balabit.com> wrote:
>
>> thanks for the quick reply.
>>
>>
>> --
>> Bazsi
>>
>> On Sun, Oct 25, 2015 at 12:35 PM, Vincent Bernat <vincent at bernat.im>
>> wrote:
>>
>>>  ❦ 25 octobre 2015 12:32 +0100, "Scheidler, Balázs" <
>>> balazs.scheidler at balabit.com> :
>>>
>>> > I'd have a question though: I can see the date-offset() option for
>>> > date parser, which seems to skip the specified number of characters in
>>> > the input.
>>> >
>>> > Can you please describe the usecase behind that? I'd be reluctant to
>>> > add such an option to a parser (as none of the other have such an
>>> > option), and it should be possible to do the same using template
>>> > functions, e.g. something like this:
>>> >
>>> > date-parser(template("$(substr $MSG 5)"));
>>> >
>>> > This would similarly skip the first 5 characters.
>>> >
>>> > If this addresses your original use-case, I'd drop the date-offset()
>>> > option.
>>>
>>> Yes, this would cover my use case.
>>> --
>>> Use library functions.
>>>             - The Elements of Programming Style (Kernighan & Plauger)
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20151025/b9a3e941/attachment.htm 