The special parser in imuxsock does not parse RFC5424 header #4749
Comments
|
can you validate that this is happening on the current rsyslog release? 8.2010
was October 2020, just over a year old.
(to be clear, I don't remember seeing that it was fixed, but there have been a
half dozen releases in the meantime, and I don't notice every fix)
David Lang
…On Wed, 8 Dec 2021, dgouarin wrote:
Date: Wed, 08 Dec 2021 02:13:47 -0800
From: dgouarin ***@***.***>
Reply-To: rsyslog/rsyslog
***@***.***>
To: rsyslog/rsyslog ***@***.***>
Cc: Subscribed ***@***.***>
Subject: [rsyslog/rsyslog] The special parser in imuxsock does not parse
RFC5424 header (Issue #4749)
when logging via imuxsock a RFC5424 formatted message
```
logger --rfc5424 "hello"
```
One would expect the message to be parsed. Instead, the header is handled as message data, for example :
Dec 8 11:01:04 t0008746-C9Z490-PG 1 2021-12-09T11:01:04.443899+01:00 kont-2037002 t0008746 - - [timeQuality tzKnown="1" isSynced="0"] hello
rsyslog debug output signals this error :
imuxsock.c : datetime.c ParseTIMESTAMP3339: invalid year: 1, pszTS: '2'
To workaround this issue, one must disable the useSpecialParser param :
```
input(type="imuxsock" socket="/dev/log" useSpecialParser="off")
```
as documented here https://rsyslog-doc.readthedocs.io/en/latest/configuration/modules/imuxsock.html
Could the special parser be fixed to handle and parse RFC5424 headers ?
rsyslog version: 8.2010.0
Ubuntu 18.04.4 LTS
|
|
Hi, issue reproduced this day on 8.2110.0 |
|
This is not an issue. It's how it works. If you need RFC5424, you need to disable the special parser. |
|
Some more background: The core idea of the special parser is that it parses a very specific format and also is able to override some fields. I don't think it makes sense to try to do this for all potential formats. Especially as RFC5424 provides great expressiveness in itself to provide e.g. high precision timestamps. So I do not see any value at all in trying to get the other items. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
when logging via imuxsock a RFC5424 formatted message
One would expect the message to be parsed. Instead, the header is handled as message data, for example :
Dec 8 11:01:04 t0008746-C9Z490-PG 1 2021-12-09T11:01:04.443899+01:00 kont-2037002 t0008746 - - [timeQuality tzKnown="1" isSynced="0"] hello
rsyslog debug output signals this error :
imuxsock.c : datetime.c ParseTIMESTAMP3339: invalid year: 1, pszTS: '2'
To workaround this issue, one must disable the useSpecialParser param :
as documented here https://rsyslog-doc.readthedocs.io/en/latest/configuration/modules/imuxsock.html
Could the special parser be fixed to handle and parse RFC5424 headers ?
rsyslog version: 8.2010.0
Ubuntu 18.04.4 LTS
The text was updated successfully, but these errors were encountered: