[jira] [Commented] (METRON-1750) Create Parser for Syslog RFC 5424 Messages

Fri, 31 Aug 2018 13:28:35 -0700 


    [ 
https://issues.apache.org/jira/browse/METRON-1750?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16599252#comment-16599252
 ] 

ASF GitHub Bot commented on METRON-1750:
----------------------------------------

Github user JonZeolla commented on the issue:

    https://github.com/apache/metron/pull/1175
  
    It looks like the upstream palindromicity/simple-syslog-5424 assumes that 
the PRI will be included in a log.  While this is in the spec/RFC and sent on 
the network, it is standard practice to not write this to disk, but instead it 
is used by syslog software to choose which file to write it to, and strip it 
before writing to disk so the first component of the log is the date/timestamp. 
 Situations where syslog is pulled from disk and sent into Metron will all fail 
with a syntax error.  I would suggest that you work with the upstream lib 
(yourself) to make the PRI field optional =)
    
    Some evidence of my claims:
     * rsyslog documentation explaining that PRI fields are sent but not 
recorded 
[here](https://www.rsyslog.com/doc/v8-stable/tutorials/recording_pri.html).
     * The rsyslog built-in templates for writing to disk exclude PRI 
([details](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/s2-templates#brid-template-examples)).
     * Even legacy file formats only include PRI when forwarding 
([details](https://rsyslog-doc.readthedocs.io/en/latest/configuration/templates.html#legacy-string-based-template-samples)).
     * [Back in 
2010](https://serverfault.com/questions/110678/syslog-ng-how-to-log-severity-facility)
 the SUSE syslog-ng format defaults to writing without PRI.


> Create Parser for Syslog RFC 5424 Messages
> ------------------------------------------
>
>                 Key: METRON-1750
>                 URL: https://issues.apache.org/jira/browse/METRON-1750
>             Project: Metron
>          Issue Type: Sub-task
>            Reporter: Otto Fowler
>            Assignee: Otto Fowler
>            Priority: Major
>
> Create a Metron parser for working with valid RFC 5424 syslog messages, 
> including support for structured data



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to