pmrfc3164: Parse RFC3164-formatted messages¶
| Module Name: | pmrfc3164 |
| Author: | Rainer Gerhards <rgerhards@adiscon.com> |
Purpose¶
This parser module is for parsing messages according to the traditional/legacy syslog standard RFC 3164
It is part of the default parser chain.
The parser can also be customized to allow the parsing of specific formats, if they occur.
Configuration Parameters¶
Note
Parameter names are case-insensitive.
Parser Parameters¶
permit.squareBracketsInHostname¶
| type | default | mandatory | obsolete legacy directive |
|---|---|---|---|
| binary | off | no | none |
This setting tells the parser that hostnames that are enclosed by brackets should omit the brackets.
permit.slashesInHostname¶
| type | default | mandatory | obsolete legacy directive |
|---|---|---|---|
| binary | off | no | none |
New in version 8.20.0.
This setting tells the parser that hostnames may contain slashes. This is useful when messages e.g. from a syslog-ng releay chain are received. Syslog-ng puts the various relay hosts via slashes into the hostname field.
permit.AtSignsInHostname¶
| type | default | mandatory | obsolete legacy directive |
|---|---|---|---|
| binary | off | no | none |
New in version 8.25.0.
This setting tells the parser that hostnames may contain at-signs. This is useful when messages are relayed from a syslog-ng server in rfc3164 format. The hostname field sent by syslog-ng may be prefixed by the source name followed by an at-sign character.
force.tagEndingByColon¶
| type | default | mandatory | obsolete legacy directive |
|---|---|---|---|
| binary | off | no | none |
New in version 8.25.0.
This setting tells the parser that tag need to be ending by colon to be valid. In others case, the tag is set to dash (“-“) without changing message.
remove.msgFirstSpace¶
| type | default | mandatory | obsolete legacy directive |
|---|---|---|---|
| binary | off | no | none |
New in version 8.25.0.
Rfc3164 tell message is directly after tag including first white space. This option tell to remove the first white space in message just after reading. It make rfc3164 & rfc5424 syslog messages working in a better way.
detect.YearAfterTimestamp¶
| type | default | mandatory | obsolete legacy directive |
|---|---|---|---|
| binary | off | no | none |
Some devices send syslog messages in a format that is similar to RFC3164, but they also attach the year to the timestamp (which is not compliant to the RFC). With regular parsing, the year would be recognized to be the hostname and the hostname would become the syslogtag. This setting should prevent this. It is also limited to years between 2000 and 2099, so hostnames with numbers as their name can still be recognized correctly. But everything in this range will be detected as a year.
Examples¶
Receiving malformed RFC3164 messages¶
We assume a scenario where some of the devices send malformed RFC3164 messages. The parser module will automatically detect the malformed sections and parse them accordingly.
module(load="imtcp")
input(type="imtcp" port="514" ruleset="customparser")
parser(name="custom.rfc3164"
type="pmrfc3164"
permit.squareBracketsInHostname="on"
detect.YearAfterTimestamp="on")
ruleset(name="customparser" parser="custom.rfc3164") {
... do processing here ...
}
See also
Help with configuring/using Rsyslog:
- Mailing list - best route for general questions
- GitHub: rsyslog source project - detailed questions, reporting issues
that are believed to be bugs with
Rsyslog - Stack Exchange (View, Ask) - experimental support from rsyslog community
See also
Contributing to Rsyslog:
- Source project: rsyslog project README.
- Documentation: rsyslog-doc project README