fluentd icon indicating copy to clipboard operation
fluentd copied to clipboard
verified publisher icon fluent

in_syslog: consider space between PRI and HEADER valid for RFC3164

Open daipom opened this issue 2 years ago • 0 comments

Is your feature request related to a problem? Please describe.

  • #4157

As is the issue here, in_syslog considers the following record invalid as RFC3164 because there is a space between PRI and HEADER.

<14> Apr 25 16:43:29 PAA-SW1-1 General[procLOG]: main.c(257) 272264 %% Stopping System API  application

As I commented in https://github.com/fluent/fluentd/discussions/4157#discussioncomment-5748811, RFC3164 does not seem to say this format is invalid.

https://www.rfc-editor.org/rfc/rfc3164#section-4.1.2 says:

The TIMESTAMP will immediately follow the trailing ">" from the PRI part

"will" is used, not "must". (If there is no other possibility, "must" should be used.)

Describe the solution you'd like

Consider space between PRI and HEADER valid for RFC3164.

Describe alternatives you've considered

We already have workarounds for this.

We can use time_format to solve the space between PRI and HEADER.

<source>
  @type syslog
  tag foo
  <parse>
    @type syslog
    time_format " %b %d %H:%M:%S"
  </parse>
</source>

Additional context

At first, I thought we needed to use parser_regexp as a workaround, but it was just a matter of setting up time_format. So there may be little need to support this.

daipom avatar Apr 28 '23 01:04 daipom