Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multiple time formats for syslog input #2246

Closed
TaLoN1x opened this issue Dec 27, 2018 · 6 comments
Closed

Multiple time formats for syslog input #2246

TaLoN1x opened this issue Dec 27, 2018 · 6 comments
Labels
stale

Comments

@TaLoN1x
Copy link

TaLoN1x commented Dec 27, 2018
edited by ganmacs
Loading

I need someones help with syslog input configuration.

I am using configuration a here:

<source>
  @type syslog
  tag development-poc
  port 5140
  protocol_type tcp
  time_format %Y-%m-%dT%H:%M:%S.%L%z
  with_priority true
</source>

The problem for me is, that I do use syslog messages with and without milliseconds from the same log sources.

Examples:
2018-12-27T06:47:02Z
2018-12-27T06:47:02.212Z

Some of My messages have weird time format, like this:
Dec 27 09:46:57
##This is GMT+3 time

The question is if I can determine somehow multiple time formats to match?
Right now I'm getting parse errors like this:
error_class = ArgumentError, error = invalid strptime format - `%Y-%m-%dT%H:%M:%S.%L%z'

Another question, If it's possible to use define milliseconds within time_format variable as optional somehow?
@repeatedly
Copy link
Member

repeatedly commented Dec 27, 2018
edited
Loading

If your syslog uses rfc5424 protocol, you can mix with/without ms time in the master(not released yet): #2240

@TaLoN1x
Copy link
Author

TaLoN1x commented Dec 27, 2018

It did solve some situations, but unfortunately there are lots of application that do match rfc-3164 standart, but use rfc5424 like timestamps.

Can that fix be somehow ported to be "global" for both rfc-3164 and rfc-5424?

@repeatedly
Copy link
Member

do match rfc-3164 standart, but use rfc5424 like timestamps.

What does this mean? Does your syslog daemon send multiple broken syslog format in 1 instance?

Can that fix be somehow ported to be "global" for both rfc-3164 and rfc-5424?

Currently no because in_syslog supports standard format, not broken format.
So if your syslog or application sends non standard format, use in_tcp with multi-format-parser or own input plugin is needed for now.

@TaLoN1x
Copy link
Author

TaLoN1x commented Jan 3, 2019

I got handled my problem using in_tcp and multi-format-parser plugin, but I am having hard time parsing message facility and priority from pri field. Could give me a hint on how could I achieve that?

@github-actions
Copy link

This issue has been automatically marked as stale because it has been open 90 days with no activity. Remove stale label or comment or this issue will be closed in 30 days

@github-actions github-actions bot added the stale label Jan 18, 2021
@github-actions
Copy link

This issue was automatically closed because of stale in 30 days

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@repeatedly @TaLoN1x