[rsyslog] Syslogtags with whitespaces misparsed?

[Rainer Gerhards]

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Luis Fernando Muñoz Mejías
> Sent: Friday, July 17, 2009 3:06 PM
> To: rsyslog at lists.adiscon.com
> Subject: Re: [rsyslog] Syslogtags with whitespaces misparsed?
> 
> Rainer,
> 
> > In this case, however, I do really not see how I could handle that
> > intelligently within the parser
> 
> My guesswork, as you call it on the document you reference is something
> like "the first word after the timestamp must be the host name, 

Just to clarify so that everyone sees where the issues are ;)

First off, how do you know if there is a hostname? If the message is lacking
a hostname, the TAG will become it. Rsyslog assumes that a hostname is
present, but knows it is a TAG instead if a character that is not valid
inside the hostname. In this example "gconf" there is no way to know this is
not a valid hostname.

> and from
> there to the first colon it's all syslogtag;

Next actually not-sosubtle issue: But what do you do if there is no colon at
the end of the syslog TAG? The rfcs demand none (because the header filed is
SP-terminated) and also in practice there is not always a colon in it. So
following this rule would break RFC compatibility and also probably break a
lot more real-world cases than it fixes.

> if there's no colon I'll do
> whatever I want but crashing". But it's guessing, against RFCs, and I
> don't really think a syslog parser should play fortune-telling.
> 
> > I guess that the gconf folks will not want to change their format,
because
> > that, too could potentially also break a lot of things (log parsers!).
> 
> I'll try to follow this up to gconf guys, so that they know that any log
> parsing of their messages is necessarily lacking *crucial*
> information. Anyways, gconf is the least important application to me,
> and I see some services around here showing the same symptoms.
> 
> > A solution within rsyslog configuration
> 
> In my scenario, the message has gone through several syslog relays and
> the correct host information is lost before it comes to my service, so
> there is no way to configure rsyslog to solve it. Another funny example
> is syslog's habit of saying "last message repeated N times". These
> messages don't have a colon or anything useful to delimit the
> application name. In this case, I receive *lots* of messages from a host
> called "last".

Brings up an interesting thought (for another time) - it may make sense to
de-multiplex these "last message repeated N times", but that's quite some
effort...

Rainer
> 
> Thanks for the clarifications.
> --
> Luis Fernando Muñoz Mejías
> Luis.Fernando.Munoz.Mejias at cern.ch
> 
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com