Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add more format handling to rfc3164, and passthrough output #57

Merged
merged 3 commits into from
Mar 31, 2020
Merged

Add more format handling to rfc3164, and passthrough output #57

merged 3 commits into from
Mar 31, 2020

Conversation

vche
Copy link
Contributor

@vche vche commented Mar 30, 2020

RFC3164 is very wide, and many (if not an) log format are allowed.
This pull requests improves the format accepted:

  • date can optionally have the year specified
  • date can optionally have the timezone name specified (i.e. UTC, PST, or any in the IANA database)
  • device specific formats can be added. One added is where hostname is specified in first position

A passthrough output module has also been added. When using RFC3164 for instance, it allows pushing events received in different format while conserving them, rather than reformating them in a common format.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

kurojishi
kurojishi reviewed Mar 31, 2020
View reviewed changes
src/flowgger/decoder/rfc3164_decoder.rs Outdated
@@ -63,6 +52,74 @@ struct Pri {
severity: Option<u8>,
}

fn decode_rfc_standard(pri: &Pri, msg: &str, line: &str) -> Result<Record, &'static str> {
// Decoding "usual" rfc input as advised in the rfc: [<pri>]<datetime> <hostname> <message>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Usual is a bit of a weighed word here, recommended is probably better

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fair enough. will update the comment

src/flowgger/decoder/rfc3164_decoder.rs
}

fn decode_rfc_custom(pri: &Pri, msg: &str, line: &str) -> Result<Record, &'static str> {
// Decoding custom rfc input formatted as : [<pri>]<hostname>: <datetime>: <message>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what happned when we find a slightly different one again? Or is this the only real offender in the wild?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is one of device custom log formats, in this case for cisco devices, dates and hostnames makes flowgger compliant with nxos and ios. Most devices seem to comply with the recommanded usage. However there is for sure other formats. I cannot add all existing formats here, but the design update makes it easier to add them on case by case.

crisidev
crisidev approved these changes Mar 31, 2020
View reviewed changes
Copy link
Contributor

@crisidev crisidev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@vche vche merged commit eb39d91 into master Mar 31, 2020
@vche vche deleted the feature/rfc3164 branch March 31, 2020 13:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@crisidev crisidev crisidev approved these changes

@kurojishi kurojishi kurojishi approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@vche @kurojishi @crisidev