Skip Menu |

This queue is for tickets about the Net-Syslogd CPAN distribution.

Report information
The Basics
Id: 64288
Status: resolved
Worked: 15 min
Priority: 0/
Queue: Net-Syslogd
People
Owner: Nobody in particular
Requestors: Dave.Stafford [...] globis.net
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Tue Dec 28 09:27:50 2010 Dave.Stafford [...] globis.net - Ticket created
Subject: Regex for parsing log messages
Date: Tue, 28 Dec 2010 15:27:37 +0100
To: bug-Net-Syslogd [...] rt.cpan.org
From: Dave Stafford <Dave.Stafford [...] globis.net>
Hi, the regex for parsing log messages fails with the following (valid) log message from host IMAC: <189>Dec 28 14:06:00 IMAC logger: this is a test message It parses the date incorrectly as: "Dec 28 14:06:00 IMA" This is due to the regex on line 204 also trying to parse the timezone for Cisco formatted log messages. my $regex = '<(\d{1,3})>[\d{1,}: \*]*((?:[JFMASONDjfmasond]\w\w) {1,2}(?:\d+)(?: \d{4})* (?:\d{2}:\d{2}:\d{2}[\.\d{1,3}]*)(?: [A-Z]{1,3})*)?:*\s*(?:((?:[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})|(?:[a-zA-Z\-]+)) )?(.*)'; The problem comes with the regex looking for an optional space or colon after the timestamp part. A better solution would be to recognise that after the timestamp part is either a space, or a : if it is a cicso formatted message. I changed the regex on my system to the following, which seems to work for me: my $regex = '<(\d{1,3})>[\d{1,}: \*]*((?:[JFMASONDjfmasond]\w\w) {1,2}(?:\d+)(?: \d{4})* (?:\d{2}:\d{2}:\d{2}[\.\d{1,3}]*)(?: [A-Z]{1,3})*)?[:|\s](?:((?:[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})|(?:[a-zA-Z\-]+)) )?(.*)'; Dave
  Tue Dec 28 13:10:18 2010 VINSWORLD [...] cpan.org - Correspondence added
I tried to make the regex as flexible as possible accounting for the RFC 3164 format, the Cisco format (which is pretty ubiquitous given the Cisco device footprint) and the Net::Syslog format (version 0.03 - before the RFC-3164 patch in version 0.04). The version 0.04 of Net::Syslogd provides a '-regex' option to the process_message() method to account for these occurances where the provided regex doesn't account for the user's unique syslog message format. You can re-write line 204 (which it sounds like you did), or use the '- regex' option to process_message() which is the preferred approach. cheers.
  Tue Dec 28 13:10:19 2010 The RT System itself - Status changed from 'new' to 'open'
  Tue Dec 28 13:10:19 2010 VINSWORLD [...] cpan.org - Status changed from 'open' to 'rejected'
  Tue Dec 28 17:23:34 2010 Dave.Stafford [...] globis.net - Correspondence added
Subject: Re: [rt.cpan.org #64288] Regex for parsing log messages
Date: Tue, 28 Dec 2010 23:23:16 +0100
To: bug-Net-Syslogd [...] rt.cpan.org
From: Dave Stafford <Dave.Stafford [...] globis.net>
Show quoted text
> The version 0.04 of Net::Syslogd provides a '-regex' option to the > process_message() method to account for these occurances where the > provided regex doesn't account for the user's unique syslog message > format. > > You can re-write line 204 (which it sounds like you did), or use the '- > regex' option to process_message() which is the preferred approach.
I'd rather use the -regex opton than modify the source, so I'll give that a go. Thanks for the quick reply. Dave
  Tue Dec 28 17:23:35 2010 The RT System itself - Status changed from 'rejected' to 'open'
  Wed Apr 06 10:14:27 2011 VINSWORLD [...] cpan.org - Correspondence added 15 min
Correspondence with initiator indicated solution was found (use -regex option to process_message() method). 'Bug' resolved.
  Wed Apr 06 10:14:28 2011 VINSWORLD [...] cpan.org - Status changed from 'open' to 'resolved'