On Thu, 2003-10-02 at 10:50, Mikael Olsson wrote: > Syslog has become sufficiently loosely specified over the years that > I'm afraid you'll have to be able to deal with just about any > variation, including also missing timestamps. Agree, I already do this (well, most of it) in the lib. But I try to get down to the specs as much as possible, because modifying messages will break syslog-sign and so I would like to do this as seldom as possible. > Make your parser smart enough to figure out which fields are > actually present and have it deal with things at runtime. The host part is very hard to intelligently detect. If the following tag has a colon in it, than this is fine. If not, you are more or less lost. At least I can't think of any clever idea to find out this one does not have a host: <13>Oct 1 18:02:32 rger test 4 OK, I agree that this format is seen very seldom - but you can find it... > Perhaps you can make assumptions about locally-received > events based on the host OS or such, but you can make no > such assumptions about remotely received events, so I'd just > go ahead and implement the full logic and apply it to all > events. I agree. But I was specifically talking on locally received messages. I *know* they are different, because I have received them from a local UNIX domain socket, so I know their origin. I need to treat them specially in many cases. For example, if I later include code to digitally sign them (syslog-sign), then I must modify the message so that it reflects proper format and then actually DO the signing. This is not allowed with remote messages. This just to provide some background for my asking. Thanks for your comment. It reminds me that syslog format is somewhat evil to deal with ;-) Rainer _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Thu Oct 02 2003 - 06:40:02 PDT