There have been some issues and talk about they way we parse syslog, and the deficiencies of our grok and regex based approaches, mainly not supporting structured data as I recall. I played around with it some and decided to try to write an Antlr grammar based on the RFC 5424 spec BNF to parse valid syslogs.
I have chosen to create this in my own github org, and will be distributing through bintray/mvn central down the line. I *may* end up doing PR’s to Metron and Nifi around this but that is not definite. If anyone is interested, I would really appreciate any review or feedback. Also, if anyone has any ‘clean’ 5424 logs that they can safely contribute to expand my test set, that would be much appreciated. https://github.com/palindromicity/simple-syslog-5424 thanks ottO
