[rsyslog] Syslogtags with whitespaces misparsed?

[Luis Fernando Muñoz Mejías]

Rainer,

> In this case, however, I do really not see how I could handle that
> intelligently within the parser

My guesswork, as you call it on the document you reference is something
like "the first word after the timestamp must be the host name, and from
there to the first colon it's all syslogtag; if there's no colon I'll do
whatever I want but crashing". But it's guessing, against RFCs, and I
don't really think a syslog parser should play fortune-telling.

> I guess that the gconf folks will not want to change their format, because
> that, too could potentially also break a lot of things (log parsers!).

I'll try to follow this up to gconf guys, so that they know that any log
parsing of their messages is necessarily lacking *crucial*
information. Anyways, gconf is the least important application to me,
and I see some services around here showing the same symptoms.

> A solution within rsyslog configuration

In my scenario, the message has gone through several syslog relays and
the correct host information is lost before it comes to my service, so
there is no way to configure rsyslog to solve it. Another funny example
is syslog's habit of saying "last message repeated N times". These
messages don't have a colon or anything useful to delimit the
application name. In this case, I receive *lots* of messages from a host
called "last".

Thanks for the clarifications.
--
Luis Fernando Muñoz Mejías
Luis.Fernando.Munoz.Mejias at cern.ch