New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
enhancement(syslog source): Add drop_invalid option #1455
Conversation
Signed-off-by: Stephen Wakely <fungus.humungus@gmail.com>
Signed-off-by: Stephen Wakely <fungus.humungus@gmail.com>
Signed-off-by: Stephen Wakely <fungus.humungus@gmail.com>
I think the test-stable-kubernetes test failure is it running out of memory. I was getting similar errors on my laptop until I increased the swap space. |
Thanks @FungusHumungus, we'll review this week and get it merged. |
Thinking about it, you may want to shelve this one in favor of issue #1454. Technically with RFC 3164 there is no such thing as an invalid message. If the message can't be parsed in some format, then the whole message becomes the message text without any additional fields. So there will not be any invalid messages that can be dropped. Potentially one may consider, for example, a message that doesn't have a valid facility to be invalid, but I imagine decisions like this would differ from user to user and could be handled by a transform instead. |
Yeah, that's the issue with RFC 3164. I'd be ok with that as long as we take care to default the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this @FungusHumungus! Looks good to me.
Oh, whoops, forgot which PR I was looking at. I agree with the strategy of shelving this in favor of introducing a more relaxed parser that will not reject messages as invalid. I'll go ahead and close this for now, but we can reopen if we decide against that plan. |
Thanks @FungusHumungus, apologies for the misdirection. I agree that the new parsing strategy would be a better approach. Appreciate your thought around this. |
Fixes #746
I've added a new option to the syslog source - drop_invalid, default true.
When this option is false, if the message fails to parse, it doesn't drop the event - instead it creates an event with the message field populated, timestamp set to the current time.
Hopefully this pull request will work better. Many apologies for messing up that last one!