[rsyslog] rsyslog and snare
Martin Mielke
martinmie at PartyGaming.com
Sat Oct 31 02:28:22 CET 2009
Semi off-topic: release EventReporter under the same license as rsyslog
and you'll win a lot of happy friends ;-)
Cheers
> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards
> Sent: 28 October 2009 14:13
> To: rsyslog-users
> Subject: Re: [rsyslog] rsyslog and snare
>
> > > Jan 1 01:01:01
> > > mail.abc.com#011MSWinEventLog#0111#011Security#0114169#011Fri
> > >
> > > while in syslog format it does
> > >
> > > Jan 1 01:01:01 mail.abc.com
MSWinEventLog#011Security#0114169#011Fri
> > >
> > >
>
> First things first: I really don't like to dig into snare, as I do not
> think
> it is a really good solution (but how could the designer of
> http://www.eventreporter.com say otherwise? ;)).
>
> so I assume you are talking about this message:
>
> mail.abc.com#011MSWinEventLog#0111#011Security#0114169#011Fri
>
> > Basically rsyslogd should respect RFC 3164 (Any non-alphanumeric
> > character
> > will terminate the TAG field and will be assumed to be the starting
> > character of the CONTENT field.)
>
> Another thing to put straight: RFC3164 is NOT a standard, it is an
> informational document that describes things seen on the wire. And it
does
> not even describe all *popular* cases. If it all, it gains some
standard
> function via RFC3195, but this is questionable. Just for the records
;)
>
> So the key point here is that we have nothing to "respect" or "obey
to",
> but
> rather something that describes things seen in practice. For any
decent
> syslog receiver, this means it must try to work equally well with
> everything
> that comes in via legacy syslog. But, granted, RFC3164 is useful if we
> have
> nothing else to look at.
>
> So let's do that. We'll immediately see that snare is broken, because
no
> control characters are allowed in the hostname. So rsyslog does the
right
> thing and escapes these characters. So everthing belongs to the
hostname
> and
> thus you have problems with tag.
>
> Damn... I didn't want to say somethign about snare. Now it has
happened
> again. My conclusion: fix snare or use something that works ;)
>
> Rainer
>
> >
> > The result would be:
> > TAG: ''
> > MSG: '#011MSWinEventLog#0111#011Security#0114169#011Fri...'
> >
> > At least I think, any thoughts Rainer?
> >
> > The following works for me:
> > // If first character not alpha-numeric, skip tag parsing
> > if( !isalphanum((int)*p2parse) )
> > bTAGCharDetected = 1;
> >
> > Is this bad for other loggers?
> >
> >
> >
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
> /rsyslog
> http://www.rsyslog.com
This email and any attachments are confidential, and may be legally privileged and protected by copyright. If you are not the intended recipient dissemination or copying of this email is prohibited. If you have received this in error, please notify the sender by replying by email and then delete the email completely from your system.
Any views or opinions are solely those of the sender. This communication is not intended to form a binding contract unless expressly indicated to the contrary and properly authorised. Any actions taken on the basis of this email are at the recipient's own risk.
More information about the rsyslog
mailing list